b'                                                                     u.s. OFFICE OF PERSO,,\'-1: L \'vL\\\'\\.\\GE\\lE,\\T\n                                                                                   OFFICE OF Til E I\'\\SPEC lOR GF\'\\ERAL\n                                                                                                       OFFIC I- OF ALDITS\n\n\n\n\n                                               Final Audit Report \n\n\n      Subj":Cl :\n\n\n\n\n                     FEDERAL INFORMATJON SECURITY \n\n                                         MANAGEMENT ACT AUDIT\n                                                                           FY 2010 \n\n\n\n\n                                                             Report :\\0.             U-C1-00-10-019\n\n\n                                                             Dale:                    Nov e mber 10, 2010\n\n\n\n\n                                                                           -- C-\\ F rIOI\\--\nTloi, aull il rrpot\'l h,,_   toe~1I   ui"lribu leti   I" ~\n                                                   r e,k ral "m,i. l, \\\\ !J~ are n"p\')",jbl ~ for lhe ~<lm\'lIL> rr "lio!l ()f (la\' ~ " di(~llllrn!: ,.~ m. 1 hi, al"l il \n\n[<I\'"n \'\'\' a.\' ,\'.," t "j n p"u pri ,"ar~ d~(" "hi"11 i, p. .. 1.~ 1<"d b~ F ed,-ra l b ... (18 t \' .\'i.e I ?O~ I. 1 I,en,r"r~. "d l il ,) til; \' aUl!il rrp" rt j . <I\' ai la hk \n\nLi nda \'h~ Fr ,"ecom fA l ofnrm :l1ion ,\\ct "flU "\'~lk a\' ~j l ~ bh- 10 II,,\xc2\xb7 Plll)i it nO (I,,\' 01( . "d>p,,:.:,-, ("ILUi"n Ilt\'n]\' t" Ilr ,\'\\ f r r"t(l IJ\\ fnl"<\' \n\nr d,\xc2\xb7,"inl.\' 110,- r~p"rt to th,\'HlI lT:tl publif a~ i! m~\' ("IU,,;n pr" pr ic \':tr~ i lOfurlll "Ii o li flt,, [ ,"" rtd" " I\\\'d I-r.. ", Iii,\' puhl id\' di"\'lhlt,,-d \'\'\'r~. \n\n\x0c                      UNITED STATES OFFICE OF PERSONNEL MANAGEMENT \n\n                                       Washington. DC 20415 \n\n\n\n  Oftk~ of the\nImpcctor G~ncral\n\n\n\n\n                                        Audit Report\n\n\n\n                          U.S. OFFICE OF PERSONNEL MANAGEMENT \n\n\n\n                   FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT \n\n                                         FY 2010 \n\n\n                                       WASHINGTON, D.C. \n\n\n\n\n\n                               Report No.        4A-CI-OO-\\O-O\\9\n\n\n                               Date:               11 /10/ 10\n\n\n\n\n                                                                ;ipe2t_ \n\n                                                                Michael R. Esser\n                                                                Assistant Illspector General\n                                                                  for Audits\n\n\n                                                                                  -      _.   -   -\xc2\xad\n                                                                                      www, usajcbs\xc2\xb7iOV\n\x0c                            UNITED STATES OFFICE OF PERSONNEL MANAGEMENT \n\n                                                Washing.ton. DC 2MI:; \n\n\n\n    Ofli ce of the\nIll spcclor Geneml\n\n\n\n\n                                            Executive Summary \n\n\n\n\n                                u .s. OFFICE OF PERSONNEL MANAGEMENT \n\n\n\n                         FEDERAL INFORMAnON SECURITY MANAGEMENT ACT AUDIT \n\n                                              FY 2010 \n\n\n                                               WASHINGTON, D.C. \n\n\n\n\n\n                                      Report No.           4A-CI-OO-IO-019\n\n                                      Date:                  11/10/10\n\n\n\n          This fina l audit repon documents the Oflice of Personnel Management\'s (OPM\'s) continued\n          efforts to manage and $Ceure its information resources, The Office of the Inspector General\n          (OIG) has significant ongoing concerns regarding the overall quality orthe inform ation security\n          program at OPM.\n\n          In fiscal year (FY) 2007 and FY 2008 w!..\' reported a material weakness in controls over the\n          development and maintenance ofOPM\'s inlonnation technology (IT) sec urity polic ies. In FY\n          2009, we issued a Flash Audit Alert to OPM\'s Director highlighting our concerns with the\n          agency\'s IT security program, We also expanded the material weakness rdated to IT security\n          policies to include concerns with the ageney\'s overall information security governance and it s\n          information security management stmcture,\n\n          Although we ackno,"vJedge that some limited progress ,"vas made in FY 20 10 to improvt\' OrM\'s\n          security program. \\\\\'e continue to consider the IT security management structure. insufficient\n\n\n\n\n        www . opm,a:Q~\n\x0cstaff, and the lack of policies and procedures to be a material weakness in OPM\'s IT security\nprogram.\n\nIn addition, we are adding a second material weakness related to the management ofOPM\'s\nCertification and Accreditation (C&A) process. The C&A concerns were reported as a\nsignificant deficiency in the FY 2008 and FY 2009 Federal Infonnation Security Management\nAct (FISMA) audit reports. Specilically, we noted that not all systems at OPM have an active\nC&A, there is a wide range of quality in the C&A packages from various program offices, and\nthe Office of the Chief Infonnation Officer (OCIO) does not have the resources to facilitate the\nC&A process.\n\nThe agency has recently appointed a new Senior Agency Infonnation Security Official.\nHowever, it remains to be seen whether it will commit the necessary resources and develop the\nappropriate functions required of this role. We will reevaluate this issue during the FY 2011\nFISMA audit.\n\nIn addition to the material weaknesses describe above, the DIG noted the following controls in\nplace and opportunities for improvement\n\xe2\x80\xa2 \t The OIG does not agree with the number of systems identified in OPM\'s mastcr system\n    inventory. The OCIO takes a passive approach to maintaining the inventory, increasing the\n    risk that applications containing sensitive data arc operating in a production environment\n    without being subject to the IT security controls required by FISMA.\n\xe2\x80\xa2 \t The OCID does not maintain a single centralized inventory of the computer hardware in its\n    data centers.\n\xe2\x80\xa2 \t "me DCIO has developed a Windows XP image that is generally compliant with Federal\n    Desktop Core Configuration standards. However, this image has not been implemented on\n    any production workstations.\n\xe2\x80\xa2 \t The OCIO has developed thorough incident response and reporting capabilities.\n\xe2\x80\xa2 \t The OCIO has implemented a process [0 provide annual IT security and privacy awareness\n    training to all OPM employees and contractors. However, controls related to providing\n    specialized security training to individuals with inrormation security responsibility could be\n    improved.\n\xe2\x80\xa2 \t A Plan of Action and Milestones (POA&Ms) should be continuously managed for all agency\n    systems, but we fOWld that POA&Ms were updated evcry quarter in FY 20 I 0 for only 35 of\n    OPM\'s 43 systems.\n\xe2\x80\xa2 \t All 30 of the recommendations from the FY 2009 FISMA audit were appropriately\n    incorporated into the OCIO POA&M . However, POA&M items from the system-specific\n    audits conduc[ed by the OIG do not appear in the POA&M of the individual systems.\n\xe2\x80\xa2 \t The POA&Ms for 9 OPM systems contain security weaknesses with remediation activitics\n    over 120 days overdue.\n\xe2\x80\xa2\n\n\n\n                                                 ii\n\x0c\xe2\x80\xa2\n\xe2\x80\xa2 \t The OCJO has nOl developed a formal strategy to identify and continuously monitor the high\xc2\xad\n    risk security controls for OPM information systems.\n\xe2\x80\xa2 \t The aCIQ does not currently maintain a published list of common security controls.\n\xe2\x80\xa2 \t The aCID and other aPM program offices maintain up-ta-date contingency plans for only\n    36 of the 43 systems on OPM\'s master system inventory. The contingency plans for only 30\n    of 43 systems were adequately tested in FY 2010.\n\xe2\x80\xa2 \t aPM does not have a formal policy providing the aCIO and other program offices guidance\n    on the appropriate oversight of contractors and contractor-run systems. In addition, the\n    security controls were not tested in FY 20 I 0 for 7 of 11 contractor-operated systems.\n\n\n\n\n                                              III\n\x0c                                                                Contents\n\n\n\n   Executive Summary ................................................................................................................... i \n\n   Introduction............................................................................................................................... 1 \n\n   Background ............................................................................................................................... 1 \n\n   Objectives ................................................................................................................................. 1 \n\n    Scope and Methodology ........................................................................................................... 2 \n\n   Compliance with Laws and Regulations ................................................................................... 3 \n\n   Results ....................................................................................................................................... 4 \n\n           I. Information Security Governance ................................................................................. 4 \n\n          II. System Inventory .......................................................................................................... 7 \n\n         III. Certification and Accreditation Program ...................................................................... 9 \n\n        IV. Security Configuration Management .......................................................................... 15 \n\n         V. Incident Response and Reporting Program................................................................. 18 \n\n        VI. Security Training Program .......................................................................................... 18 \n\n       VII. Plan of Action and Milestones Program ..................................................................... 20 \n\n      VIII. Remote Access Program ............................................................................................. 24 \n\n        IX. Account and Identity Management Program .............................................................. 26 \n\n         X. Continuous Monitoring Program ................................................................................ 26 \n\n        XI. Contingency Planning Program .................................................................................. 28 \n\n       XII. Program to Oversee Contractor Systems .................................................................... 30 \n\n      XIII. Follow-up From Prior OIG Audit Recommendations ................................................ 31 \n\n   Major Contributors to this Report ........................................................................................... 43 \n\n\nAppendix I: \t       Status of Prior Audit Recommendations Issued by the Office of the Inspector\n                    General\n\nAppendix II: \t Office ofChiefInformation Officer\'s October 7, 2010 response to the draft audit\n               report, issued September 22, 2010.\n\nAppendix III: \t Fiscal Year 2010 FISMA Reporting Metrics\n\x0c                                         Introduction\n\nOn December 17, 2002, the President signed into law the E-Government Act (Public Law 107\xc2\xad\n347), which includes Title III, the Federal Information Security Management Act (FISMA).\nFISMA requires (I) annual agency program reviews, (2) annual Inspector General (IG)\nevaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of\nIG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing\nthe material received from agencies. In accordance with FISMA, we conducted an evaluation of\nOPM\'s security program and practices. As part of our evaluation, we reviewed OPM\'s FISMA\ncompliance strategy and documented the status of its compliance efforts.\n\n                                         Background\n\nFISMA requirements pertain to all information systems (national security and unclassified\nsystems) supporting the operations and assets of an agency, including those systems currently in\nplace or planned. The requirements also pertain to information technology (IT) resources owned\nand/or operated by a contractor supporting agency systems.\n\nFISMA reemphasizes the Chief Information Officer\'s strategic, agency-wide security\nresponsibility. At OPM, security responsibility is assigned to the agency\'s Office ofthe Chief\nInformation Officer (Ocro). FISMA also clearly places responsibility on each agency program\noffice to develop, implement, and maintain a security program that assesses risk and provides\nadequate security for the operations and assets of programs and systems under its control.\n\nTo assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities,\nOMB issued memorandum M-IO-IS, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management. This memorandum\nprovides a consistent form and format for agencies to report to OMB. It identifies a series of\nreporting topics that relate to specific agency responsibilities outlined in FISMA. Our audit and\nreporting strategies were designed in accordance with the above OMB guidance.\n\n                                          Objectives\n\nOur overall objective was to perform an evaluation of OPM\' s security program and practices, as\nrequired by FISMA. Specifically, we reviewed the following areas ofOPM\'s IT security\nprogram in accordance with OMB\'s FISMA IG reporting requirements:\n   \xe2\x80\xa2   System Inventory;\n   \xe2\x80\xa2   Status of Certification and Accreditation Program (C&A);\n   \xe2\x80\xa2   Status of Security Configuration Management;\n   \xe2\x80\xa2   Status ofIncident Response and Reporting Program;\n   \xe2\x80\xa2   Status of Security Training Program;\n   \xe2\x80\xa2   Status of Plans of Actions and Milestones (POA&M) Program;\n   \xe2\x80\xa2   Status of Remote Access Program;\n   \xe2\x80\xa2   Status of Account and Identity Management Program;\n   \xe2\x80\xa2   Status of Continuous Monitoring Program;\n\n\n                                                I\n\n\x0c   \xe2\x80\xa2   Status of Contingency Planning Program; and\n   \xe2\x80\xa2   Status of Agency Program to Oversee Contractor Systems.\n\nIn addition, we evaluated the security controls of two major applications/systems at OPM (see\nScope and Methodology for details of these audits). We also followed-up on outstanding\nrecommendations from prior FISMA audits (see Appendix I).\n\n                                  Scope and Methodology\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. The audit covered OPM\'s\nFISMA compliance efforts throughout FY 2010.\n\nWe reviewed OPM\'s general FISMA compliance efforts in the specific areas defined in OMB\'s\nguidance and the corresponding reporting instructions. We also evaluated the security controls\nfor the following major applications:\n   \xe2\x80\xa2   Benefits Financial Management System (OlG Report No. 4A-CF-00-1O-018)\n   \xe2\x80\xa2   Annuity Roll System (OlG Report No. 4A-CF-00-1O-047)\n\nWe considered the internal control structure for various OPM systems in planning our audit\nprocedures. These procedures were mainly substantive in nature, although we did gain an\nunderstanding of management procedures and controls to the extent necessary to achieve our\naudit objectives. Accordingly, we obtained an understanding of the internal controls for these\nvarious systems through interviews and observations, as well as inspection of various documents,\nincluding information technology and other related organizational policies and procedures. This\nunderstanding ofthese systems\' internal controls was used to evaluate the degree to which the\nappropriate internal controls were designed and implemented. As appropriate, we conducted\ncompliance tests using judgmental sampling to determine the extent to which established\ncontrols and procedures are functioning as required.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nOPM. Due to time constraints, we did not verify the reliability of the data generated by the\nvarious information systems involved. However, we believe that the data was sufficient to\nachieve the audit objectives, and nothing came to our attention during our audit testing to cause\nus to doubt its reliability.\n\nAs appropriate, we conducted compliance tests using judgmental sampling to determine the\nextent to which established controls and procedures are functioning as intended. The results\nfrom tests performed on a sample basis were not projected to the universe of controls.\n\nSince our audit would not necessarily disclose all significant matters in the internal control\nstructure, we do not express an opinion on the set of internal controls for these various systems\ntaken as a whole.\n\n\n                                                 2\n\n\x0cThe criteria used in conducting this audit include:\n\xe2\x80\xa2 \t OPM Information Technology Security Policy Volumes I and 2;\n\xe2\x80\xa2 \t OMB Circular A-l30, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2 \t OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information\n    Security Management Act and Agency Privacy Management;\n\xe2\x80\xa2 \t OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2 \t OMB Memorandum M-06-16, Protection of Sensitive Agency Information;\n\xe2\x80\xa2 \t OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;\n\xe2\x80\xa2 \t E-Government Act of2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of2002;\n\xe2\x80\xa2 \t National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An\n    Introduction to Computer Security;\n\xe2\x80\xa2 \t NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2 \t NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2 \t NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2 \t NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information\n    Systems;\n\xe2\x80\xa2 \t NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2 \t NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to\n    Security Categories;\n\xe2\x80\xa2 \t Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems;\n\xe2\x80\xa2 \t FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and\n\xe2\x80\xa2 \t Other criteria as appropriate.\n\nThe audit was performed by the OIG at OPM, as established by the Inspector General Act of\n1978, as amended. Our audit was conducted from May through September 2010 in OPM\'s\nWashington, D.C. office.\n\n                        Compliance with Laws and Regulations\n\nIn conducting the audit, we performed tests to determine whether OPM\'s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nOPM\'s OCIO and other program offices were not in complete compliance with all standards, as\ndescribed in the "Results" section of this report.\n\n\n\n\n                                                 3\n\n\x0c                                             Results\n\n     The sections below detail the results of the DIG\'s FY 2010 FISMA audit ofOPM\'s IT\n     Security Program. Several recommendations issued in FY 2010 were rolled-forward from\n     prior OrG audit repons, including:\n\n     \xe2\x80\xa2 \t Report 4A-CI-OO-09-0S3: "Flash Audit Alert -Information Technology Security\n         Program at the U.S. Office OfPC[SOTmei Management"\n     \xe2\x80\xa2 \t Report 4A-CI-OO-07-01S : "Audit of the Privacy Program at OPM - FY 200T\'\n     \xe2\x80\xa2 \t Report 4A-CI-OO-06-016: "Federal Information Security Management Act Audit\xc2\xad\n         FY 2006"\n     \xe2\x80\xa2 \t Report 4A-CI-OO-07-D07: "Federal Infonnation Security Management Act Audit\xc2\xad\n         FY 2007"\n     \xe2\x80\xa2 \t Reporl4A-CI-DO-08-022: "Federal Infonnation Security Management Act Audit\xc2\xad\n         FY 2008"\n     \xe2\x80\xa2 \t Report 4A-CI-OO~09-031: "Fedcrallnforrnation Security Management Act Audit\xc2\xad\n         FY 2009"\n\nI.   Information Security Governance\n\n     The sections below outline the 01G\'s review of IT security governance at OPM.\n\n     a) \t IT Security Policies and Procedures\n\n        OPM\'s failure to adequately update its IT security and privacy policies and procedures\n        has been highlighted in the past four OlG FISMA audit reports, and has been identified as\n        a material \\veakness in the IT security program in the FY 2007, FY 2008 , and FY 2009\n        reports.\n\n        The absence or severely outdated nature of the followi ng policies, procedures, or\n        guidance has directly led to OIG audit findings in FY 2009 and 20 10 (this is not intended\n        fa be a comprehensive list ofmissing policies al OPAl):\n        \xe2\x80\xa2 \t Guidance for developing contingency plans, procedures for routinely conducting\n            contingency plan tests, and templates for reporting test results;\n        \xe2\x80\xa2\n        \xe2\x80\xa2 \t Guidance for developing risk assessments;\n        \xe2\x80\xa2 \t Guidance for dcveloping information system sec urity plans;\n        \xe2\x80\xa2 \t Policy and procedures related to oversight of systems operated by a contractor;\n        \xe2\x80\xa2 \t Policy related to roles and responsibilities for the Independent Verification and\n            Validation (IV&V) process and procedures for managing an rv&V;\n        \xe2\x80\xa2 \t Guidance for establishing agreements for interfaci ng system s;\n\n\n\n\n                                                 4\n\n\x0c\xe2\x80\xa2\n\xe2\x80\xa2 \t Policy on remote access and telecommuting; and\n\xe2\x80\xa2 \t Policy on patch management.\n\nAlthough several new security and privacy documents were published in FY 2010, this\narea continues to be a major concern as the limited IT policies available do not provide\nOPM employees with adequate guidance to secure the agency\'s infonnation systems.\n\nRecommendation 1 (Rol/4Forward (rom OIG Reports 4A-CI-OO-09-03J\nRecommendation 30. 4A-C/-OO-09-0.B Rectlmmendation 2. 4A-C/-OO-OB-022\nRecommendatioll19. 4A-CI-OO-07-007 Recommeudation 3 and 9. 4A-CI-OO-07-0J5\nRecommendation I. and 4A-CI-OO-06-0J6 Recommendilliun 6)\nWe recommend that the DCIO develop up-te-date and comprehensive IT security\npolicies and procedures, and publish these documents to THEO. and a plan for updating\nthem at least annually.\n\nOCID Response:\n"The C/O concurs with this recommendation and offers clarifying remarks in order to\npresent a more current interpretation o/the .\'itatus ofthe IT security policies and\nprocedures. The IT security and privacy policy ..,olumes 1 and volume 2 were last\nupdated and posted on TilED in August 2009. The CIO understands that additional\npolicy updates are required to comply with guidance issued by NIST durillg the last\nyear and to address some deficiencies in the current policies. n,e Bureau ofthe Public\nDebt (BPD) has been retained through all Interagency Agreement to update and to\nbring IT Security and Privacy policies into OPJl1 and FISI\\1A compliance. A kickoff\nmeeting wa.\xc2\xb7; heldfor tl,i" project on September 2010 and BPD is expected to be on site\nto col/ect policy requirements during tile next 60 day.". A comprehen:iive IT security\nand Privacy Ilandbook is expected to be completed in FY2011.\n\nThis recommeudation also cited the need/or procedure!J" and a number ofprocedures\nwere created or updated alld posted Oil TIIEO in 200912010 including:\n\n\xe2\x80\xa2\t   Certification and Accreditation Guide (July 1009)\n\xe2\x80\xa2\t   lneident Re...ponse and Reporting Guide (July 2009)\n\xe2\x80\xa2\t   LAN Complex Passwords (June 1009)\n\xe2\x80\xa2\t   OPM Computer User Re!J"/Jonsibilitie." (June 2009)\n\xe2\x80\xa2\t   Plan 0/ Action and Milestone (POA&iW Stllnl/ard Operating Procedure (September\n     2009)\n\xe2\x80\xa2 \t Process for Analyzing New alld Emerging in/ormation Security and Privacy\n    Requirements (July 1009)\n\xe2\x80\xa2 \t System Acce.\\".\\\xc2\xb7 Authorization Procedure (JuIJ\' 2009)\n\xe2\x80\xa2 \t Privacy Impact Assessment (PIA) Guide (April 1010)\n\xe2\x80\xa2 \t System ofRecords Notice (SORN) Guit/e (April 2010)\n\n\n\n                                        5\n\n\x0c  The CIO believes that the abow! procedure!J\' have enhanced IT !J\'ecurity and privacy at\n  OI\'M and understands that additional work needs to be done to develop new\n  procedures and to enhance existing ones as necessary. Current procedure!J\' will be\n  revisited and additional ones will be developed in FY20ii a!J\' necessary. "\n\n   OIG Reply:\n   The majority of the new procedures referenced in the OCIO response were issued during\n   FY 2009. Although this limi ted progress was acknowledged in the FY 2009 OIG FISt\\1A\n   audit report, we continued to label this issue as a material weakness in OPM \' s IT security\n   program. The addition ora PIA Guide and SORN Guide in FY 2010 again represents\n   very limited progress in improving OPM\'s IT security and privacy policies, and this issue\n   continues to represent a material weakness in FY 2010.\n\nb) Information Security Management Structure\n\n   In FY 2009, the 0 1G issued a Flash Audit Alert to OPM\'s Director high li ghting OUT\n   concerns with the agency\'s IT security program. We also expanded the existing IT\n   security policy material weakness to include concerns with the agency\' s overall\n   informati on security governance and the information security management structure in\n   the oero.\n\n   At the end of FY 2009, arM had operated \\vithout a pemlanent Senior Agency\n   lnfomlation Security Officer (SAISO) for over 18 months. Although a new SA lSa was\n   appointed in FY 2010, 24 of the 30 audjt recommendations issued in the FY 2009 FISMA\n   audit report, and 2 of the 4 recommendations issued in the Flash Audit Alert, have been\n   rolled-forward into thi s FY 2010 FISM A report. We believe thi s indicates that the aC IO\n   does not have adequate resources to effectively remediate weaknesses in OPM\'s IT\n   security program.\n\n   Recommendation 2 (Roll-forward from OIG Report 4A-CI-OO-09-053\n   Recommendation 3)\n   We recommend that the OPM Director ensure that the aCIO has adequate resources to\n   properly staff its IT Securi ty and Privacy Group.\n\n   OCID Response:\n  "TIle CTO concurs with this recommendation and offers clarifying remarks in order to\n  present a more current interpretation of/he staffing situation in the iT Security and\n  Privacy Group. During the pastfive months, a Senior Agem.y Information Security\n  Officer has bein.l..!!i!:!!!..!nd the staff complement in the !J\'ecurity and privacy group has\n  increa.liiedfrom _ _ FTEs along witll contractor resources as needed.\n  Recognizing that additional stuffresource!J\' are needed, the CIO believes that\n  incremental progress is being made ;n th;s area. "\n\n\n\n\n                                            6\n\n\x0c         OIG Reply:\n         Although the OCIO has been authorized to hire. full time employees, only. of these\n         positions have been filled to date. We continue to believe that the DCID does not have\n         adequate resources to effectively remediate weaknesses in OPM\'s IT security program,\n         and we recommend that the IT Security and Privacy Group increase its staffing resources .\n\n      In September 20 I 0, the OCIO informed the OIG that OPM has secured funding to cnter into\n      an interagency agreement with the Bureau of Public Debt for assistance in developing a\n      comprehensive IT security handbook. The SAISO is also actively recruiting to fill several\n      open positions in thc OCIO.\n\n      Although the DIG acknowledges that DPM appears to be taking steps to improve its security\n      program, \\.ve continue to consider the insufficient reso urces and security governance in the\n      DCIO and the lack of policies and procedures to be a material weakness in OPM\'s IT\n      security program .\n\nII.   System Inventory\n      OPM has identified 43 major systems within 8 of its program offices. OPM \' s system\n      inventory indicated that these 43 systems were comprised of the following security\n      categorizations (as defined by Federal Information Processing Standards Publication 199): 7\n      high, 34 moderate, and 2 low. The inventory also indicated that 32 systems are operated by\n      OPM within its own IT infrastructure and 11 are operated by a contractor facility on behalf of\n      the agency.\n\n      The OIG does not agree with the number of systems identified in OPM \' s master inventory.\n      In FY 2010, the following anomalies were detected with the agency\'s inventory:\n         \xe2\x80\xa2 \t An OIG audit of one system in FY 2010 revealed that several applications were\n             inappropriately bundled into that single system on the inventory. The OIG\n             recommended that this system be divided into at least four separate applications on\n             the inventory.\n         \xe2\x80\xa2 \t An OIG audit ofa second system containing multiple applicalions revealed that the\n             program office owning the system does not have a clear understanding of which\n             specific applications are actually part ofiliat system. Several applications were\n             removed fro m this system and may not bc accounted for elsewhere on the inventory.\n         \xe2\x80\xa2 \t One system has been in production for many years but was not added to the inventory\n             and subjected to a C&A until FY 2010.\n         \xe2\x80\xa2 \t The OIG received copies ofPOA&Ms for three systems that did not appear on the\n             inventory.\n\n      OPM\'s OCIO is responsible for maintaining the agency\'s master system inventory. The\n      oelo relies heavily on OPM\' s program offices to inform them of updates to the system\n      inventory (e.g., new or decommissioned systems). Although monthly email reminders arc\n      sent to the Designated Security Officer (OSO) community asking for inventory updates, the\n\n\n\n                                                  7\n\n\x0coero generally maintained a passive approach to maintaining the agency\'s system inventory\nin FY 2010.\n\nrn September 2010, the oero began the process of surveying OPM\'s program offices in an\nattempt to identify any systems not currently reported on the inventory. The OrG believes\nthat this is a good step toward implementing an active strategy for maintaining the system\ninventory. However, the oero needs to implement additional techniques to help ensure that\nthe system inventory identifies all major applications in OPM\'s operating enviromnent. Such\ntechniques could include, but are not limited to:\n   \xe2\x80\xa2 \t Routine review of database and hardware inventories to search for applications not\n       accounted for on the system inventory;\n   \xe2\x80\xa2 \t Use of software tools to scan the network environment for rogue hardware devices\n       that are not accounted for on the system inventory; and\n   \xe2\x80\xa2 \t Periodic survey ofOPM employees (not just the DSO community) to inquire about\n       applications used in their job function.\n\nFailure to properly maintain OPM\'s master system inventory increases the risk that\napplications containing sensitive data are running in a production environment without being\nsubject to the IT security controls required by FrSMA. We consider the weaknesses related\nto the management of the system inventory to be a significant deficiency in OPM\'s\ninformation technology security program.\n\nRecommendation 3\nWe recommend that the oero develop and implement an active strategy to maintain up-to\xc2\xad\ndate information regarding OPM\'s master system inventory.\n\nOCIO Response:\n"The CIa concurs with this recommendation and has already taken steps through the\nissuance 0/ a data call to the IT Security Working Group on September 8, 2010 to identify\nsystems used by OPM that are not on the FISMA system inventory. The CIa has also\ninitiated an internal review to determine ifapplications were inappropriately bundled into\nother larger systems as previously reported in prior audit findings. Additional systems\nidentified/rom the data call and internal system review will be evaluated/or addition to the\nmaster system inventory. "\n\nOIG Reply:\nWe acknowledge the limited progress the oero has made in improving the quality of its\nsystem inventory. However, the data call referenced in the oero response relies on other\nOPM program offices to notify the oero of new or modified information systems. We\ncontinue to recommend that the oero develop and implement an active strategy to maintain\nthe system inventory using some or all of the suggested techniques outlined above.\n\n\n\n\n                                           8\n\n\x0cIII.   Certification and Accreditation Program\n\n       System certification is a comprehensive assessment that attests that a system\'s security\n       controls are meeting the security requirements of that system, and accreditation is the official\n       management decision to authorize operation of an information system and accept its risks.\n       Each major application at OPM is subject to the C&A process every three years.\n\n       The OIG\'s FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM\'s\n       C&A process were a significant deficiency in the internal control structure of the agency\'s IT\n       security program. The weaknesses cited related to inadequate management of the process\n       and incomplete, inconsistent, and poor quality C&A products. In FY 2010 these\n       longstanding conditions not only continued, but actually degraded. As a result, we are now\n       reporting a material weakness in the IT security control structure related to OPM\'s C&A\n       process.\n\n       We believe that the root causes ofthese issues include insufficient staffing in the IT Security\n       and Privacy Group, a lack of policy and procedures, and the decentralized DSO model in\n       place at OPM.\n\n       Insufficient staffing and the lack of documented policies are discussed in the Security\n       Governance section of this report (section I). The third underlying weakness, in our opinion,\n       relates to how OPM staffs the DSO position. OPM chose to implement a decentralized\n       model in which the DSOs are typically appointed by and report to the program offices that\n       own major computer systems. Very few of the DSOs have any background in information\n       security, and most are only managing their security responsibilities as a collateral duty to\n       their primary job function.\n\n       Perhaps in recognizing the inherent weaknesses in this arrangement, the OCIO established an\n       Information Technology Security Working Group to provide guidance to the DSO\n       community in a series of monthly meetings. Initially these meetings were a useful forum that\n       involved training in IT security, discussion of various security-related topics, and the\n       dissemination of emerging guidance. However, the meetings eventually degenerated into\n       sessions where DSOs were upbraided for not meeting the required FISMA metrics; the focus\n       seemed to be on "playing the FISMA numbers game" rather than implementing the\n       foundations of a successful IT security program. Of late the DSOs are complaining about\n       being overly burdened as the OCIO, with limited resources, asks more of the DSO\n       community.\n\n       IT security is a shared responsibility between the OCIO and program offices. The OCIO is\n       responsible for overall information security governance and program offices are responsible\n       for the security of the systems that they own. There is a balance that must be maintained\n       between a consolidated and a distributed approach to managing IT security. In our opinion,\n       however, OPM\'s approach is too decentralized. OPM program offices should continue to be\n       responsible for maintaining security ofthe systems that they own, but the DSO responsibility\n       for the C&A process (documenting, testing, and monitoring system security) should be\n       centralized within the OCIO.\n\n\n\n                                                    9\n\n\x0cRecommendation 4\nWe recommend that OPM implement a centralized information security governance structure\nwhere all information security practitioners, including designated security officers, report to\nthe Senior Agency Information Security Official. Adequate resources should be assigned to\nthe ocro to create this structure. Existing designated security officers who report to their\nprogram offices should return to their program office duties. The new staff that reports to the\nSAISO should consist of experienced information security professionals.\n\nOCIO Response:\n"The CIO concurs with this recommendation. The overall IT security governance at OPM\ncan be improved by implementing a centralized information security governance structure\nconsisting ofIT security professionals. "\n\nThe sections below provide a detailed evaluation of OPM\'s C&A program.\n\na) C&A policy\n\n   In July 2009, the OCIO published an agency-wide Certification and Accreditation Guide.\n   The C&A Guide addresses the roles and responsibilities of key personnel, a walkthrough\n   of the C&A process, and a listing of the various security documents that are required\n   elements of a C&A, including:\n   \xe2\x80\xa2   System Categorization;\n   \xe2\x80\xa2   Privacy Impact Assessment (PIA);\n   \xe2\x80\xa2   Information System Security Plan (ISSP);\n   \xe2\x80\xa2   Risk Assessment;\n   \xe2\x80\xa2   Security Control Test and Evaluation Plan and Report;\n   \xe2\x80\xa2   Contingency Plan;\n   \xe2\x80\xa2   System of Records Notice; and\n   \xe2\x80\xa2   Plans of Action and Milestones.\n\n   However, OPM\'s C&A Guide does not provide standard forms, templates, or detailed\n   guidance on how to prepare each of the required elements. The lack of such guidance has\n   led to extreme inconsistencies in the quality of C&A packages for various OPM systems\n   (see "Quality and Consistency ofC&A Packages" below).\n\nb) Appropriate use ofthe C&A process\n\n   As referenced in Section II above, the OIG identified one OPM system that was in\n   production for several years without being subject to a C&A.\n\n   In addition, the prior C&A for six additional systems from OPM\'s inventory expired in\n   FY 2010, and a new C&A has not been completed. Although an "Interim Authorization\n   to Operate" (IA TO) was issued for these systems, they are currently running in a\n   production environment without an active C&A.\n\n\n\n                                            10 \n\n\x0cAn rATO may be appropriate to use in special circumstances where legitimate business\nreasons result in a C&A package not being completed before the prior C&A expires.\nHowever, we believe this process is abused at OPM and is used to extend the\nauthorization to operate for program offices that did not adequately plan for their\nsystems\' required C&A.\n\nRecommendation 5 (Roll-Forward (rom OIG Reports 4A-CI-OO-09-031\nRecommendation 16 and 4A-CI-OO-08-22 Recommendation 9)\nWe recommend that all active systems in OPM\'s inventory have a complete and current\nC&A.\n\nOCIO Response:\n"The CIO concurs with this recommendation and offers clarifying remarks in order to\npresent a more current interpretation. Program offices are responsible for the security\nand C&A oftheir systems. C&As are often contracted to various entities that employ\ndifferent styles in preparing the final packages and this explains why all C &A\npackages do not look alike. The CIO believes that all completed C&A packages must\nproperly address required security controls and contain required artifacts per the OPM\nC&A Guide, and that the look andfeel ofpackages is a reflection ofthe various\nsources contracted by the program offices to complete the packages.\n\nRegarding, the six systems with expired C&A, the CIO agrees that all production\nsystems should have a current C&A. However, the OPMprocurement process can be\nlengthy depending on workload has an effect on getting contracts and interagency\nagreements for C&A in place. The extended Authority to Operate for the six systems\nwas issued in support ofOPM mission support activities. "\n\nOIG Reply:\nFrSMA states that it is the responsibility of the ocro to maintain an agency-wide\ninformation security program. Although the C&A process is a shared effort with OPM\nprogram offices, the ocro has the primary responsibility to ensure that all C&A\npackages are completed in a timely manner and are of consistent quality.\n\nThe oro is discouraged to see that the ocro references the lengthy OPM procurement\nprocess as justification for having production systems operating without a C&A. The\nrequirement for federal information systems to have an active C&A has been in place\nsince 2003, and there has been ample time to properly budget IT security into the system\ndevelopment lifecycle. We believe that poor planning, insufficient staffing resources,\nand the ocro\'s lack of authority over DSOs all contribute to this material weakness.\n\nWe believe that the centralized C&A approach referenced in Recommendation 4 would\nallow the ocro to more efficiently manage the C&A process and ensure that an active\nC&A exists for each OPM system as required by FrSMA.\n\n\n\n\n                                       11 \n\n\x0cc) Quality and consistency of C&A packages\n\n   The OIG reviewed the full C&A packages of 15 systems that were subject to a C&A\n   during FY 2010. Although the packages we reviewed contained all ofthe elements\n   required by OPM\'s C&A Guide, the quality of these packages varied significantly\n   between systems.\n\n   The development of a C&A package is the responsibility of the OPM program office that\n   owns the system. Each program office assigns a DSO to manage the security of its\n   systems. The decentralized nature of the DSO community means that individuals with\n   varying skill sets are tasked with C&A related responsibilities often as a collateral duty in\n   addition to their normal job function.\n\n   Although various forms of general guidance are available to assist program offices in the\n   development of C&A elements, the OCIO has not implemented centralized policies,\n   guidelines, or templates outlining how various C&A elements should be completed for\n   OPM systems. As a result, the content and quality of a specific C&A element vary\n   widely between systems. During our review of FY 20 I 0 C&A packages, we noticed the\n   highest quality variance between the security controls tests (see "Testing of Security\n   Controls," below), contingency plans (see section XI), risk assessments, and ISSPs of\n   these systems.\n\n   Recommendation 6\n   We recommend that the OCIO develop a risk assessment policy to provide guidance to\n   program offices conducting a risk assessment as part ofthe C&A process.\n\n   OCIO Response:\n   "The CIO does not concur with this recommendation. Risk assessment policies are\n   documented in the current IT security and Privacy policy volume 2 that is posted on\n   THEO. However, risk assessment policy will be revisited and updated in the new IT\n   Security policy updates that BPD has been retained to complete."\n\n   OIGReply:\n   The IT Security and Privacy Policy Volume 2 states that the OCIO must develop a risk\n   assessment policy along with procedures for facilitating the implementation ofthe policy.\n   However, no such policies and procedures are contained within the document. The\n   extreme range in quality between risk assessments conducted by various OPM program\n   offices indicates that the OCIO has not provided adequate risk assessment guidance. We\n   continue to recommend that the OCIO develop a risk assessment policy to provide\n   guidance to program offices conducting a risk assessment as part of the C&A process.\n\n   Recommendation 7\n   We recommend that the OCIO develop an ISSP policy to provide guidance to program\n   offices developing a security plan as part of the C&A process.\n\n\n\n                                            12 \n\n\x0c  OCIO Response:\n  "The CIO does not concur with this recommendation. Information Systems Security\n  Plan policies are documented in the current IT security and Privacy policy volume 2\n  that is posted on THEO. The policies also references NIST security plan templates\n  that can be used to build a security plan. However, IT security plans policy will be\n  updated to provide additional as part ofthe BPD policy update project.\n\n  Regarding the review of C&A packages, two full time resources have been hired to\n  review C&A packages and to provide guidance to the DSO community. One ofthese\n  resources is already onboard and the second is expected to start work after completing\n  the necessary new employee onboarding procedures. "\n\n  OIGReply:\n  The IT Security and Privacy Policy Volume 2 states that system owners must work with\n  the OeIO and DSOs to develop info=ation system security plans. However, the policy\n  provides no actual guidance for doing so. We continue to recommend that the oeIO\n  develop an ISSP policy to provide guidance to program offices developing a security plan\n  as part ofthe e&A process.\n\nd) DCID management ofC&A process\n\n  The OeIO is responsible for assisting program offices in the development of e&A\n  packages for their systems. OPM\'s e&A Guide also states that the oeIO must review\n  completed e&A packages for quality and completeness before recommending the system\n  for accreditation.\n\n  Although the OeIO has procedures for conducting post-completion reviews of e&A\n  packages, the post-completion review for at least one system (the LAN/WAN\n  infrastructure) was conducted after the certification and accreditation statements were\n  signed. The reviewer of the LAN/WAN e&A package found several errors and\n  weaknesses in the documentation and made recommendations for improvement, but these\n  were not presented to the certification and accreditation authority prior to the signing of\n  the e&A statements.\n\n  In addition, the oeIO does not have the resources available to actively participate in the\n  planning or development of the e&A packages for each agency system. Inadequate\n  oversight of the e&A process from the oero has led to OPM program offices\n  developing inconsistent and low quality e&A packages.\n\n  Recommendation 8\n  We recommend that the oero assign additional resources to facilitate the e&A process\n  to ensure the consistency and quality of e&A packages developed by OPM program\n  offices.\n\n\n\n\n                                          13 \n\n\x0c   OCIO Response:\n   "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. The CIO has doubled the number offull time\n   resources assigned to the C&A program and this increase in resources will improve the\n   quality of C&A packages. C&A packages found to be ofpoor quality are being\n   returned to for rework for correction of deficiencies. "\n\ne) Testing of security controls\n\n   Although a full C&A is required for each system every three years, the security controls\n   of that system must be tested on an annual basis. An annual test of security controls\n   provides a method for agency officials to determine the current status of their information\n   security programs and, where necessary, establish a target for improvement. Failure to\n   complete a security controls test increases the risk that agency officials are unable to\n   make informed judgments to appropriately mitigate risks to an acceptable level.\n\n   We conducted a review of the documentation resulting from the security controls tests for\n   each of the 43 systems in OPM\'s inventory. Our evaluation indicated that the IT security\n   controls had been adequately tested for only 28 ofOPM\'s 43 systems during FY 2010.\n\n   There was a wide range of quality amongst the 28 security control tests that were\n   conducted. Some program offices tested all security controls applicable to that system\n   while others tested only a small subset. There was also a variance in the security controls\n   that program offices assumed to be "common controls" inherited from OPM\'s IT and\n   facility infrastructures (see section X, Continuous Monitoring). In addition, the tests\n   were documented in many different formats and templates. We believe that these\n   inconsistencies are a result of OPM\' s lack of agency-wide policy or guidance on how to\n   adequately test information system security controls.\n\n   Recommendation 9 (Roll-Forward from OIG Report 4A-CI-OO-09-03I\n   Recommendation 5)\n   We recommend that the OCIO develop a policy for adequately testing the security\n   controls of OPM\'s systems, and provide training to the DSO community related to proper\n   security control testing.\n\n   OCIO Response:\n   "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. The Information Security and Privacy Policy\n   Volume 1 requires security controls to be Periodically assessed and CIO security staff\n   works with the DSO community on annual testing efforts including keeping track of\n   the number ofsystems that have tested their security controls. We will enhance the\n   current security policy in the security handbook that is under development and provide\n   additional guidance to DSOs to enhance the testing ofsecurity controls."\n\n\n\n\n                                           14\n\x0c         OIG Reply:\n         The IT Security and Privacy Policy Volume I states that information system security\n         controls must be assessed on a periodic basis, but provides no guidance for doing so. The\n         extreme range in quality between security control tests conducted by various OPM\n         program offices indicates that the OCIO has not provided adequate guidance on this\n         topic. We continue to recommend that the OCIO develop a policy for adequately testing\n         the security controls of OPM\'s systems, and provide training to the DSO community\n         related to proper security control testing.\n\n         Recommendation 10 (Roll-Forward from OIG Reports 4A-CI-OO-09-031\n         Recommendation 6 and 4A-CI-OO-OB-022 Recommendation I)\n         We recommend that OPM ensure that an annual test of security controls has been\n         completed for all systems.\n\n         OCIO Response:\n         "The CIO concurs with this recommendation and offers clarifying remarks in order to\n         present a more current interpretation. The CIO staff continues works with the DSO\n         community to ensure that security controls have been testedfor all systems. The CIO\n         security staffsends out a reminder to all DSOs each month informing them to complete\n         required security controls testing and assist with technical guidance. We will continue\n         to work with the DSO community and escalate systems where security controls have\n         not been tested to the associated director in the specific business area."\n\nIV.   Security Configuration Management\n\n      The sections below detail the controls OPM has in place regarding the technical\n      configuration management of its major applications and user workstations.\n\n      a) Agency-wide security configuration policy\n\n         The OCIO has implemented an agency\xc2\xb7wide Configuration Management Policy. This\n         policy was updated during FY 2010 and outlines the process for maintaining a securely\n         configured network environment.\n\n         The OCIO has also implemented a patch management policy that outlines the\n         responsibilities and procedures for ensuring that OPM servers are routinely patched.\n         However, this policy has not been updated since August 2005. In August 20 I 0, the\n         OCIO informed the OIG that this policy is in the process of being updated.\n\n         Recommendation 11 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J\n         Recommendation 25)\n         We recommend that the OCIO develop and publish to THEO an up\xc2\xb7to-date Patch\n         Management Policy.\n\n\n\n\n                                                 15 \n\n\x0c  OCIO Response:\n  "The CIO does not concur with this recommendation. The OPM ISPP details the high\n  level patch (flaw remediation) requirements and agency policy. (See ISPP Volume 2,\n  page 71. 800-53 rev 3 Control SI-2). Low level procedures exist and are utilized by the\n  Network Management administrators to patch desktops and servers. Ongoing\n  improvements to the patch management process are being tested and implemented as\n  new tools and processes become available. Current initiatives include procurement\n  requests for enterprise-wide patch and vulnerability management tools (Big Fix and\n  Window SUS) scheduled for implementation in FY 2011. "\n\n   OIG Reply:\n  The Information Security and Privacy Policy Volume 2 simply states that system\n  stakeholders must "identify, report, and correct flaws discovered in the infonnation system\n  software or hardware." This does not constitute a comprehensive patch management policy.\n  We acknowledge that low level patch management procedures exist, but they have not been\n  updated in over five years. We continue to recommend that the OeIO develop and publish\n  to THEO an up-to-date Patch Management Policy.\n\nb) Management of hardware inventory\n\n   OPM currently uses several Excel spreadsheets to track its computer hardware inventory.\n   These spreadsheets are manually updated when new hardware is purchased or old\n   hardware is decommissioned. Separate spreadsheets are maintained by different\n   individuals for Windows severs, Linux servers, and all servers operated by OPM\'s\n   Federal Investigative Services program office. However, each ofthese spreadsheets is\n   maintained independently from the other inventories, and no individual at OPM\n   maintains a single inventory listing that contains all computer hardware owned by the\n   agency. Therefore, the oeIO is unable to attest that all computer hardware in OPM\'s\n   operating environment is accounted for.\n\n   Recommendation 12\n   We recommend that the OeIO develop a single centralized agency-wide hardware\n   inventory.\n\n   OCIO Response:\n  "The CIO concurs with this recommendation and offers clarifying remarks in order to\n  present a more current interpretation. Network Management is actively implementing\n  a centralized agency-wide automated hardware inventory tracking system Asset tags\n  are being applied to all accountable IT assets and pending procurements for scanning\n  equipment are expected to quickly bring the outstanding inventory under control.\n  Daily and weekly automated inventory reports are now being produced and internal\n  audits ofthe process will begin this quarter."\n\n\n\n\n                                           16 \n\n\x0c     Recommendation 13\n     We recommend that the OCIO develop and implement a strategy for using automated\n     techniques for tracking hardware inventory.\n\n     OC10 Response: \n\n     "Tire C/O concurs with this recommendation." \n\n\nc) Standard baseline configurations\n\n     orM maintains standard baseline configurations and/or build sheets for all operating\n     platforms reviewed by the OIG, including;\n\n\n\n\n     The DCIO uses vulnerability scanning tools to routinely scan servers to ensure\n     compliance with configuration guides and baselines for the majority of platforms.\n     Nothing came to our artention during this review to indicate that there are weaknesses in\n     OPM\'s baseline configuration controls.\n\nd)   F~deral   Desktop Core Configuration\n\n     OPM has developed a Windows XP standard image that is generally compliant with\n     Federal Desktop Core Configuration (FDCC) standards and has documented nine\n     deviations between this image and FDCC requirements.\n\n     As of September 30,2010, OPM\'s FDCC compliant image has not been rolled out to the\n     majority of aPM workstations.\n\n     Recommendation 14 (Roll-Forward from DIG Reports 4A-C/-00-09-03J\n     Recommendation 26 and 4A-CI-00-08-022 Recommendation 16)\n     We recommend that the aCIa implement FDCC compliant images on all OPM\n     workstations.\n\n     OCIO Response:\n     uTIle CIO concurs with litis recommendation and offers the following clarifying\n     remarks; An FDCC workstation baseline iltUlge has been created and i\\\xc2\xb7 currently\n     heing deployed. All new workstations and all agency laptops are currently l\xc2\xb7ecured\n     utilizing an FDCC (USGBC) complu11I1 image. The FDCC image has been rolled out\n     to 1200 laptops and BOO desktops as ofthis date. Image deployment and enfIJrcement\n\n\n                                             17 \n\n\x0c         ofthe legacy workstatiom i.,\' currently an Q(:live project and is being pushed through\n         domain GPO. The addition o/workstations occurs daily and is scheduled 10 have/ull\n         completion by the end oftltefirst quarter of FY 2011. Part ofthe delay in\n         implementation was due to working with the union to an\'e~\'~\' the impact on employees."\n\nV.    Incident Response and Reportine: Proe;ram\n      OPM has developed an "Incident Response and Reporting Guide" that outlines the\n      responsibilities of OPM\'s Computer lncident Response Team (CIRT) and documents\n      procedures for reporting all IT security events to the appropriate entities. We evaluated the\n      degree to which OPM is follo\\ving internal procedures and FISMA requirements for\n      reporting security incidents internally, to the United States Computer Emergency Readiness\n      Team (US-CERT), and to appropriate law enforcement authorities.\n\n      a) Identifying and reporting incidents internally\n\n         OPM \'s Incident Response and Reporting Guide requires any user of the agency\'s IT\n         rcsources to immediately notify OPM\'s Situation Room when IT security incidents occur.\n         During the past year, OPM has provided its employees with various form s of training\n         related to the procedures to follow in the event sensitive data is lost. In addition, OPM\n         reiterates the information provided in the Incident Response and Reporting Guide in the\n         annual IT security and privacy awareness training.\n\n      b) Reporting incidents to US\xc2\xb7CERT\n\n         OPM\'s Incident Response and Reporting policy states that OPM\'s CIRT is responsible\n         for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT\n         within one bour ofa reportable security incident occurrence. Comprehensive analysis\n         and documentation of any reported security Incident along with ongoing correspondence\n         with US-CERT is tracked through "Remedy Tickets" maintained by OPM\'s help desk.\n\n      c) Reporting incidents to law enforcement\n\n         The Incidenl Response and Reporting policy states that security incidents should also be\n         reported to law enforcement authorities, where appropriate. aPM notifies OIG law\n         enforcement of security incidents \\vith a monthly report outlining all incidents where\n         sensiti ve data was lost.\n\nVI.   Security Traininl! Program\n\n      The following sections detail OPM \' s methodology for providing security awareness training\n      to all employees and specialized security training to individuals with IT security\n      responsibility.\n\n\n\n\n                                                  18 \n\n\x0ca) Security awareness training\n\n   The oero has implemented a process to provide annual IT security and privacy\n   awareness training to all OPM employees and contractors. The training is conducted\n   through an interactive web-based course. The course introduces employees and\n   contractors to the basic concepts of IT security and privacy, including topics such as the\n   importance of information security, security threats and vulnerabilities, viruses and\n   malicious code, privacy training, peer-to-peer software, and the roles and responsibilities\n   of users.\n\n   Over 99 percent of OPM\'s employees and contractors completed the security awareness\n   training course in FY 20 I O.\n\nb) Specialized security training\n\n   Agency employees with significant information security responsibilities are required to\n   take specialized security training in addition to the annual awareness training.\n\n   The oero has developed a table outlining the security training requirements for specific\n   job roles. The oero uses a spreadsheet to track the security training taken by employees\n   that have been identified as having security responsibility. Of those identified, 87 percent\n   have completed at least one hour of specialized security training in FY 2010. However, a\n   significant portion (33 percent) of the individuals on the spreadsheet are listed with a job\n   role that does not appear on the training requirements table (i.e., "significant\n   responsibility"), making it impossible to determine whether these individuals received\n   adequate training in FY 20 I O.\n\n   Recommendation 15\n   We recommend that the oero improve the spreadsheet used to track security training to\n   include a job function/responsibility for each individual that directly maps to the table\n   containing training requirements.\n\n   OCIO Response:\n   "The CIO concurs with this recommendation and believes that the current spreadsheet\n   used to track specialized security training can be improved. We will update the\n   spreadsheet to include job function and responsibility for each individual that maps to\n   the table containing training requirements. "\n\n   Recommendation 16\n   We recommend that the oero ensure that all employees with significant information\n   security responsibility take meaningful and appropriate specialized security training on an\n   armual basis.\n\n\n\n\n                                            19 \n\n\x0c        OCIO Response:\n        "The CIO concurs with this recommendation and offers clarifying remarks in order to\n        present a more current interpretation. The CIO believes that many employees are\n        already taking meaningful and appropriate specialized training such as specialized\n        courses offered through outside training providers, IT security conferences and other\n        sources. However, OPM has contracted with Skills Soft to provide online training to\n        employees at no additional cost. The CIO believes that the security courses available\n        online through Skill Soft such as CISSP prep courses among others will be sufficient\n        to meet the specialized training requirements."\n\nVII. Plan of Action and Milestones Program\n\n     A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n     monitoring the progress of corrective efforts for IT security weaknesses. The sections below\n     detail OPM\'s effectiveness in using POA&Ms to track the agency\'s security weaknesses.\n\n     a) POA&M Policy\n\n        The OeIO has developed a POA&M Guide and published it to THEO. However, the\n        POA&M related weaknesses outlined below indicate that the OeIO has not provided\n        adequate guidance and training to the DSO community regarding appropriate\n        management ofPOA&Ms.\n\n        Recommendation 17 (Roll-Forward from OIG Report 4A-CI-OO-09-03I\n        Recommendation II)\n        We recommend that the OeIO work closely with the DSO community, providing training\n        and information-sharing sessions, to implement the procedures and ensure that there is a\n        clear understanding of the appropriate management of POA&Ms\n\n        OCIO Response:\n        "The CIO concurs with this recommendation and offers clarifying remarks in order to\n        present a more current interpretation. The CIO is working closely with the DSO\n        community on training and information sharing activities through the IT Security\n        Working Group (ITSWG) that isfacilitated by the Senior Agency Information Security\n        Officer monthly. During FYI 0 we provided training on contingency plan testing,\n        common security controls and POA&M management in addition to other areas. The\n        CIO believes that this type oftraining is beneficial to the DSOs andfor maintaining the\n        OPM IT Security program and will continue to provide training and information\n        sharing sessions through the ITSWG. The CIO will encourage all DSOs to take\n        advantage ofspecialized training opportunities through the OPM Skill Soft program."\n\n\n\n\n                                                20 \n\n\x0cb) POA&Ms incorporate all known IT security weaknesses\n\n   In October 2009, the OIG issued the FY 2009 FISMA audit report with 30 audit\n   recommendations. We verified that all 30 of the recommendations were appropriately\n   incorporated into the ocro POA&M.\n\n   The OIG conducted audits of three OPM systems in FY 2009 with a total of three audit\n   recommendations that remained outstanding at the time the reports were issued.\n   However, none of these audit recommendations appeared in the POA&M of the related\n   system. Although each of these weaknesses has since been remediated, they should be\n   documented in the system\'s POA&M for tracking purposes.\n\n   Recommendation 18 (Roll-Forward from OIG Reports 4A-CI-00-09-031\n   Recommendation 12 and 4A-CI-00-08-022 Recommendation 4)\n   We recommend that OPM program offices incorporate all known IT security weaknesses\n   into POA&Ms.\n\n   OCIO Response:\n  "The CIO concurs with this recommendation and offers clarifying remarks in order to\n  present a more current interpretation. The CIO has dedicated multiple resources to\n  ensure that all IT security weaknesses are incorporated into POA&Ms and has\n  implemented safeguards to ensure accuracy. The CIO will continue to improve the\n  POA&M management process."\n\nc) Management ofPOA&Ms by program offices\n\n   OPM program offices are responsible for developing, implementing, and managing\n   POA&Ms for each system that they own and operate. We were provided evidence that\n   current POA&Ms were submitted to the OCIO on a quarterly basis for only 35 of OPM\'s\n   43 systems.\n\n   Recommendation 19 (Roll-Forward from OIG Reports 4A-CI-00-09-031\n   Recommendation 13 and 4A-CI-00-08-022 Recommendations 5 and 6)\n   We recommend that an up-to-date POA&M exist for each system in OPM\'s inventory,\n   and that system owners submit updated POA&Ms to the OCIO on a quarterly basis.\n\n   OCIO Response:\n   "The CIO does not concur with this recommendation. The CIO believes that up-to\xc2\xad\n   date POA&Ms are in place for the systems on the OPM inventory and this is evident by\n   a 100% compliance rate for Quarters 3 and 4 of FYJO. The CIO believes that this\n   recommendation focused on a period prior to Quarter 3 of FYI O. "\n\n\n\n\n                                         21 \n\n\x0c   OIGReply:\n   The OIG\'s review ofPOA&Ms did include Quarter 3 ofFY 2010; three systems did not\n   submit an up to date POA&M during this period. We continue to recommend that an up\xc2\xad\n   to-date POA&M exist for each system in OPM\'s inventory and that system owners\n   submit updated POA&Ms to the OCTO on a quarterly basis.\n\nd) Remediation plans for correcting security weaknesses\n\n   When a POA&M item is remediated, OPM program offices are required to submit a work\n   completion plan (WCP) along with evidence that the deficiency was corrected to the\n   OCTO for review. We reviewed WCPs for eight systems and found that the majority of\n   the program offices provided sufficient evidence that the weakness was corrected. One\n   program office was unable to provide WCPs for closed security weaknesses and\n   subsequently re-opened these POA&M items.\n\ne) Compliance with estimated dates for remediation\n\n   The POA&Ms for 9 OPM systems contain security weaknesses with remediation\n   activities over 120 days overdue. Tn the third quarter of 20 I 0, OPM systems had a total\n   of 58 POA&M items over 120 days overdue, an increase from 26 overdue items during\n   the same time period in FY 2009.\n\n   This indicates that the OCTO has not provided adequate leadership and guidance to\n   ensure that program offices assign reasonable POA&M due dates and stay on track to\n   meet those dates. Program offices are equally responsible for dedicating adequate\n   resources to addressing POA&M weaknesses and meeting target objectives.\n\n   Recommendation 20 (Roll-Forward (rom OIG Report 4A-CI-00-09-031\n   Recommendation 14)\n   We recommend that the OCTO develop a formal corrective action plan to immediately\n   remediate all POA&M weaknesses that are over 120 days overdue. In addition, we\n   recommend that the OCTO take a lead role in the future and work closely with OPM\n   program offices to ensure that POA&M completion dates are achieved.\n\n   OCIO Response:\n    "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. The CIO agrees that an action plan to\n   remediate POA&M weaknesses that are over 120 day is appropriate and will take steps\n   to develop the action plan. However, the CIO does not agree that all POA&Ms that are\n   over 120 days can be remediated immediately because the resolution to some ofthese\n   POA&MS are beyond OPM\'s controls and require the cooperation ofother\n   stakeholders outside of OPM such as other Federal agencies. Many ofthese agencies\n   for example have not implemented two factor authentication for various reasons\n   includingjinancial and this will prevent closure ofcertain POA&Ms that are over 120\n\n\n\n                                           22 \n\n\x0c     days. The CIO will make every effort to assess and remediate as many ofthese\n     POA&Ms as possible."\n\n     OIG Reply:\n     The existence of POA&M items that require action from external stakeholders may\n     indicate an inappropriate use of the POA&M, which is intended to track action items that\n     must be completed by the POA&M owner in order to address a security weakness.\n\n     While we acknowledge the ocro\'s efforts to remediate as many overdue POA&M items\n     as possible, we believe that this issue will continue to escalate until the ocro addresses\n     the problem of assigning unreasonable POA&M remediation deadlines. The drastic\n     increase in overdue POA&M items from FY 2009 to FY 20 I 0 indicates that the ocro\n     has not adequately provided leadership and guidance to ensure that program offices\n     assign reasonable POA&M due dates.\n\n1)   OCIO tracking and reviewing ofPOA&M activities on a quarterly basis\n\n     The OCIO requires program offices to provide the evidence, or "proof of closure," that\n     security weaknesses have been resolved before closing the related POA&M.\n\n     We selected one closed POA&M item from nine OPM systems and reviewed the proof of\n     closure documentation provided by the program offices when the POA&M items were\n     closed. The 9 systems were selected from a universe of 48 systems and were\n     judgmentally chosen by orG auditors. The results of the sample test were not projected\n     to the entire population.\n\n     Adequate proof of closure was provided for eight of the nine systems tested. Proof of\n     closure was not available for three POA&M items selected for the ninth system, and the\n     program office subsequently reopened these security weaknesses. The ocro\'s failure to\n     adequately review proof of closure documentation before allowing program offices to\n     close POA&M items increases the risk that security weaknesses remain unaddressed.\n\n     Recommendation 21\n     We recommend that the ocro verify that adequate proof of closure documentation exists\n     for remediated weaknesses before allowing the program office to close POA&M items.\n\n     OCIO Response:\n      "The CIO does not concur with this recommendation. The POA&M management\n     team in the Security and Privacy Group verifies that all POA&Ms submitted by\n     Program Offices have adequate supporting evidence to close the POA&M and ensures\n     that a proofofclosure form is completedfor each POA&M before closure takes place.\n     Request to close POA&Ms with adequate documentation or completed proofofclosure\n     forms are returned to the sender. "\n\n\n\n\n                                             23\n\x0c        OIG Reply:\n        Although the OeIO believes that adequate procedures are in place, the results of the\n        ~IG\'s sample test indicated that several POA&M items were, in fact, inappropriately\n        closed without adequate proof of closure. We continue to recommend that the OeIO\n        verify that adequate proof of closure documentation exists for remediated weaknesses\n        before allowing the program office to close POA&M items.\n\n     g) \t POA&M process prioritizes IT security weaknesses\n\n        Each program office at OPM is required to prioritize IT security weaknesses on their\n        POA&Ms to help ensure significant IT security weaknesses are addressed in a timely\n        manner. However, we found that the OeIO did not prioritize security weaknesses on the\n        LAN/WAN general support system.\n\n        Recommendation 22 (Roll-Forward from OIG Report 4A-CI-00-09-031\n        Recommendation 15)\n        We recommend that the program offices responsible for the LAN/WAN prioritize the\n        system weaknesses listed on its POA&Ms.\n\n        OCIO Response:\n        "The CIO does not concur with this recommendation. The LANIWAN POA&Ms are\n        prioritized and most recently updated during the June 2010 re-certification."\n\n        OIG Reply:\n        The OIG verified that the June 2010 version of the LAN/WAN POA&M prioritized\n        security weaknesses. This recommendation is closed.\n\nVIII. Remote Access Program\n\n     The OIG evaluated OPM\'s remote access program by reviewing the agency\'s remote access\n     and telecommuting policies and procedures and its progress in implementing the\n     requirements of National Institute of Standards and Technology (NIST) Special Publication\n     (SP) 800-46 Revision 1, "Guide to Enterprise Telework and Remote Access Security."\n\n     a) Telecommuting policies and procedures\n\n        NIST SP 800-46 Revision 1 states that a telework security policy should contain the\n        following elements:\n               \xe2\x80\xa2 \t Which forms of remote access the organization permits;\n               \xe2\x80\xa2 \t Which types oftelework devices are permitted to use each form of remote\n                   access;\n               \xe2\x80\xa2 \t The type of access each type ofteleworker is granted;\n               \xe2\x80\xa2 \t How user account provisioning should be handled; and\n\n\n\n                                               24\n\x0c           \xe2\x80\xa2 \t How the organization\'s remote access servers arc administered and how\n               policies in those servers are updated.\n\n   Although OPM has implemented a telecommuting policy that provides guidance on the\n   establisluncnt, management, and maintenance oftelecomrnuting, it does not address any\n   of the technical elements listed above. In addition, the telecommuting poliey has not\n   been updated since 2001.\n\n   Recommendation 23\n   We recommend that the OeIO update its telecommuting and remote access policy in\n   accordance with NIST SP 800-46 Revision 1 guidelines.\n\n   0(\'10 Re.\\"QIIU\'ie:\n   "The C/O concurs with this recommendation and offers clarifYing remarks ill order to\n   pre:ient a more cllrrent interpretation. The remote access policy and procedures are\n   currently under review while new remote access methods are being tested and\n   evaluated. Review ami testing of new policy and procedures are expected to begbl the\n   second quarter FY 201 1."\n\nb) \t Authentication requirements\n\n   OPM utilizes a Virtual Private Network (VPJ-..T) client to provide remote users with secure\n   access to the agency\'s network environment. The OPM VPN requires username and\n   password authentication to uniquely identify users. Thc agency maintains logs of\n   individuals who remotely access the network, and the logs are reviewed on a monthly\n   basis for lillusual activity or trends.\n\n   In FY 2009, OPM required two-factor authentication for remote access in the fonn of\n   RSA token devices in combination with a password. However, the agency stopped\n   enforcing two-factor authentication in FY 2010 and users were able to authenticate with\n   only a password. OPM has recently implemented the capability of using Personal\n   Identi ty Verification (PlV) cards along with a password for two factor authenti cation.\n   Although two-factor authentication is not currently enforced, OPM plans to restrict the\n   use of single- fac tor authentication by October 8, 201 o.\n\n   Recommendation 24\n\n\n\n\n   OCIO Response:\n   nTlte CIO does not concur with tltis recommendatioll .\n\n\n\n\n                                           \xe2\x80\xa2\n\n\x0c         OlG Replv!\n\n\n\n\nIX.   Account and Identity Management Program\n      The follmving sections detail OPM\'s account and identity management program.\n\n      a) Account management\n\n         OPM maintains two policies regarding management of user accounts: one related to\n         Windows network (LAN) users and the other related to mai nframe users. Both policies\n         contain procedures for creating user accounts with the appropriate level of access as \\-vell\n         as procedures for removing access for tenninated employees.\n\n         The OIG compared a list oftcnninated OPM employees to a list of active LAN users.\n         Although we found that four employees maintained access after their termination date,\n         we do not believe that this indicates a deficiency in the account management process.\n\n      b) Properly autbenticating nctwork dcviccs\n\n         As mentioned in section IV , above, OPM uses Excel spreadsheets to maintain an\n         ;mlen,tol"y of hardware devices connected to its nenvork .\n\n\n\n         Recommendation 25\n         We recommend that the OeIO j\',npilen}er,t\n\n\n         DCID Response:\n         "The CIO concur~i with this recommendation and "n\'mrc,\'ar.\n\n\n\n\nX.    Continuous Monitoring Program\n\n      The following sections detail OPM\' s controls related to continuous monitoring of the\n      security state of its informat ion systems.\n\n\n\n\n                                                  26\n\x0ca) Continuous monitoring policy aud procedures\n   OPM\'s IT Security and Privacy Policy Volume 2 states that the security controls of all\n   systems must be tested at least annually to determine the extent to which the controls are\n   implemented correctly. operating as intended. and meeting the security requirements for the\n   system.\n\n   In addition to the annual tests. OPM\'s infrastructure systems (LAN/WAN and Enterprise\n   Server) are subject to additional security control tests in the form of automated vulnerability\n   scans. Although these scans are performed routinely. the OCIO has not developed a\n   Continuous Monitoring Policy to provide guidance on identifying high-risk security controls\n   along with a strategy for testing them on a continuous basis. In addition. the OCIO does not\n   have a policy to provide guidance on continuous monitoring of systems operated by a\n   contractor on behalf ofOPM (see section XII).\n\n   Recommendation 26 (Roll-Forward (rom OIG Report 4A-CI-OO-07-0I 5\n   Recommendation 7)\n   We recommend that the OCIO develop a Continuous Monitoring Policy that outlines a\n   strategy for identifying information security controls that need continuous monitoring as\n   well as procedures for conducting tests ofthese controls.\n\n   OCIO Response:\n    "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. The CIO believes that continuous monitoring\n   must be part ofthe IT Security policy updates that are now underway with assistance\n   from the Bureau ofthe Public Debt. However, the CIO believes that security controls\n   associated with continuous monitoring are documented in the Certification &\n   Accreditation guide posted on THEO."\n\n   OIG Replv:\n   The Certification and Accreditation Guide states that system owners must "select security\n   controls in the IT system to be continuously monitored" but provides no actual guidance\n   on doing so. We continue to recommend OPM develop a Continuous Monitoring Policy\n   that outlines a strategy for identifying information security controls that need continuous\n   monitoring as well as procedures for conducting tests of these controls.\n\nb) List of common security controls\n\n   NIST SP 800-53 Revision 3, "Recommended Security Controls for Federal Information\n   Systems," provides guidelines for selecting and specifying security controls for\n   information systems supporting the executive agencies of the federal government.\n\n   Many of the applications in OPM\'s system inventory are housed in OPM\'s LAN/WAN\n   or Enterprise Server (mainframe) general support systems (GSS). These applications\n   inherit a significant portion of information security controls required by NIST SP 800-53\n   from these environments. These inherited controls are referred to as "common controls."\n\n\n\n                                             27 \n\n\x0c         When the security controls of a system are subject to testing, the program office\n         conducting the test is not required to evaluate the controls inherited from the GSS, as\n         these controls are certified by the OCIO. However, the OCIO does not currently\n         maintain a published list of common security controls, and individual program offices are\n         responsible for determining which controls are inherited from a GSS, increasing the risk\n         that certain security controls remain untested.\n\n         Recommendation 27\n         We recommend that the OCIO create a list of common security controls and distribute\n         this information to OPM program offices responsible for testing individual applications.\n\n         OCIO Response:\n         "The CIO concurs with this recommendation and offers clarifying remarks in order to\n         present a more current interpretation, The CIO has initiated a project to established\n         enterprise common controls under the management ofthe Senior Agency Information\n         Security Officer. The IT Security Working Group has been briefed on this project and\n         work has started with the program offices to identify common security controls and to\n         consolidate them in a managed data repository. Enterprise common controls are\n         expected to be in place in FYI 1. "\n\nXI.   Contingency Planning Program\n\n      FISMA requires that a contingency plan be in place for each federal information system, and\n      that the contingency plan be reviewed and tested on an annual basis. In addition, the OPM\n      Certification and Accreditation Guide states that "To fully address system security\n      throughout the certification and accreditation process. various security documents are\n      required to be created and maintained throughout the life of the system." The Guide states\n      that one of the required security documents is a contingency plan.\n\n      The OIG verified that up-to-date contingency plans exist for only 36 of the 43 systems on\n      OPM\'s master system inventory. Five of 43 systems had documented contingency plans, but\n      they were not reviewed or updated in FY 2010. The OIG was not provided with evidence\n      that a documented contingency plan exists for the remaining two systems.\n\n      The contingency plans for 30 ofOPM\'s 43 systems were tested in FY 2010 in full\n      compliance with the requirements ofNIST SP 800-34, Contingency Planning Guide for\n      Information Technology Systems. Eleven of 43 system contingency plans were tested in FY\n      20 I 0, but not with a scenario-based contingency plan test conducted in accordance with\n      NIST SP 800-34 requirements. The remaining two system contingency plans were not\n      subject to any form of contingency plan test in FY 2010.\n\n      Of the 43 systems on OPM\'s inventory. only 29 had both an up-to-date contingency plan and\n      an adequate contingency plan test in FY 2010.\n\n\n\n\n                                                28\n\x0cOPM\'s Information Security and Privacy Policy Volume 2 states that each system owner\nmust "Test the contingency plan for the information system at least annually to determine the\nplan\'s effectiveness and the system\'s readiness to execute the plan." However, this policy\ndoes not provide instructions for conducting business impact assessments, developing\ncontingency plans, or conducting the contingency plan test in accordance with NIST\nguidance.\n\nRecommendation 28 (Roll-Forward from OIG Report 4A-CI-OO-09-03J Recommendation\nZl\nWe recommend that the OCIO develop detailed guidance related to developing and testing\nthe contingency plans of agency systems and provide training to the DSO community related\nto proper contingency planning and contingency plan testing.\n\nOCJO Response:\n"The CIO concurs with this recommendation and offers clarifying remarks in order to\npresent a more current interpretation. The CIO believes that the contingency plan\ntraining provided to the Designated Security Officers through the IT Security Working\nGroup is adequate. The CIO plans to standardize the contingency plan templates to\nimprove the quality ofthe testing process. "\n\nDIG Reply:\nAlthough a brief contingency plan training session was provided at a single IT Security\nWorking Group meeting in FY 2010, we continue to believe that the OCIO\'s oversight of the\ncontingency planning program is insufficient. as evidenced by the significant number of\nOPM systems without an adequate contingency plan or contingency plan test.\n\nRecommendation 29 (Roll-Forward from OIG Report 4A-CI-OO-09-03J Recommendation\n~\nWe recommend that up-to-date contingency plans be developed for all agency systems.\n\nOCIO Response:\n"The CIO concurs with this recommendation and offers clarifying remarks in order to\npresent a more current interpretation. The CIO believes that having up-to-date\ncontingency plans are important and will continue to work with the Designated Security\nOfficers to keep plans current. "\n\nRecommendation 30 (Roll-Forward from OIG Reports 4A-CI-OO-09-03I\nRecommendation 9 and 4A-CI-OO-OB-022 Recommendation 2)\nWe recommend that OPM\'s program offices test the contingency plans for each system on an\nannual basis. The contingency plans should be immediately tested for the 13 systems that\nwere not subject to adequate testing in FY 2010.\n\n\n\n\n                                           29 \n\n\x0c     OCIO Response:\n     "The CIO concurs with this recommendation and offers clarifying remarks in order to\n     present a more current interpretation. Contingency plans are testedfor a majority of\n     systems on an annual basis and the records ofeach test is maintaining by the Security and\n     Privacy Group. The CIO acknowledges that some systems are behind schedule\n     (approximately 10) with their testing in 2010 and will work to ensure that all testing is\n     completed. "\n\nXII. Program to Oversee Contractor Systems\n\n     OPM\'s master system inventory indicates that II of the agency\'s 43 major applications are\n     operated by a contractor.\n\n     In prior audits, OIG has verified that the security controls of these contractor systems were\n     tested by an OPM employee. However. in FY 2010, 7 of the II contractor systems were not\n     subject to security control testing.\n\n     In addition, OPM does not have a formal policy providing the OCIO and other program\n     offices guidance on the appropriate oversight of contractors and contractor-run systems.\n\n     Recommendation 31\n     We recommend that an OPM employee test information security controls for all systems\n     operated by a contractor on an annual basis.\n\n     OCIO Response:\n     "The CIO concurs with this recommendation and offers clarifying remarks in order to\n     present a more current interpretation. The CIO has provided guidance for testing security\n     controls for contractor operated systems and the Security and Privacy Group has assessed\n     security controls at the hosting facility for the 1GS_ LMS Learning Management System.\n     The Security and Privacy Group plans to extend security controls testing in FY11 at other\n     contractor facilities operating OPM systems. "\n\n     Recommendation 32 (Roll-Forward from OIG Report 4A-CI-00-09-031 Recommendation\n     l.!Jl\n     We recommend that OPM develop a policy providing guidance on adequate oversight of\n     contractor-operated systems.\n\n     OCIO Response:\n     "The CIO concurs with this recommendation and offers clarifying remarks in order to\n     present a more current interpretation. Policy covering oversight ofcontractor systems is\n     documented in the IT Security & Privacy Handbook volume 1 that is posted on THEO.\n     Additional related policy will be included in the policy update effort that is now in progress\n     that will result in comprehensive IT security policies."\n\n\n\n                                                 30\n\x0c     OIG Reply;\n     We were unable to locate any reference to oversight of contractor systems in Infonnation\n     Security and Privacy Policy Volume I. We continue to recommend that OPM develop a\n     policy providing guidance on adequate oversight of contractor-operated systems.\n\nXIII. Follow-up From Prior OIG Audit Recommendations\n\n     The following sections document the results of a follow-up review of prior IT security audit\n     recommendations issued by the OIG.\n\n     All prior audit recommendations that have not been remediated are rolled-forward with a\n     new recommendation number in this FY 2010 FISMA audit report. A high level summary of\n     the follow-up review can be found in Appendix I of this report.\n\n     Audit recommendalions issued prior 10 FY 2010 reference OPM\'s Center for Informa,;on\n     Services (CIS) as the program office responsible for the agency \'s IT security program. After\n     an organizational realignment. this group is now referred to as the Office afthe Chief\n     Information Officer (OCIO).\n\n     Follow-up 00 recommendations issued in OIG Audit Report 4A-CI-OO-07-01S. "Audit\n     of the Privacy Program at OPM - FY 2007"\n\n     a) \t 4A-CI-OO-07-0IS Recommendation 1\n          We recommend that OPM develop a comprehensive privacy policy (or a series of\n          policies), that addresses the required areas.\n\n        FY 2010 Status\n        This recommendation remains open and is rolled forward as Report 4A-CI-OO-I0-019\n        Recommendation 1 (see section I, above).\n\n     b) \t 4A-CI-OO-07-015 Recommendation 3\n          We recommend that OPM continue its efforts to implement encryption capabilities on\n          laptop computers and Blackberry mobile devices.\n\n        FY 2010 Status \n\n        The OIG has been provided evidence that the Oe10 encrypts all data on all mobi l ~   \n\n        computers containing sensitive infonnation; th is recommendation is closed. \n\n\n     c) \t 4A-CI-OO-07-01S Recommendation 4\n          We recommend that OPM continue its efforts to\n\n\n        FY 20 I 0 Status\n        This recommendation was rolled-forward until FY 2009 Report 4A-CI-OO-09-031\n        Recommendation 24, where it was closed, However, OPM stopped enforcing _\n\n\n\n                                                31\n\x0c                 in FY 2010, and this recommendation is reopened as Report 4A-CI-OO- 10\xc2\xad\n        RecoTmrlen,dation 24 (see section VIII, above).\n\nd) \t 4A-CI-00-07-015 Recommendation 7\n     We recommend that OPM develop policics and procedures for periodically monitoring\n     the Agency intranet, network, and websites for inadvertent privacy vulnerabilities.\n\n   FY 20 I0 Status\n   This recommendation is rolled-forward as Report 4A-CJ-OO-l 0-0 19 Recommendation 26\n   (see section X, above).\n\nFollow-up on recommendations issued in OIG Audit Report 4A-CI-OO-09-oS3. ""\'Iash\nAudit Alert Information Technology Security Program at the U,S. Officc of Personnel\nManagement"\n\na) \t 4A-CI-00-09-053 Recommendation     1\n   We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately\n   reflect the status ofOPM\'s IT security position as of March 1,2009.\n\n   FY 2010 Status \n\n   This recommendation was closed in FY 1009. \n\n\nb) \t 4A-CI-OO-09-053 Recommendation 2\n     \\Ve recommend that CIS develop a comprehensive set of IT security pol icies and\n     procedures, and a plan for updating it at least annually.\n\n   FY 20 I 0 Status \n\n   This recommendation remains open and is rolled forward as 4A-CI-OO-l 0-019 \n\n   Recommendat io n 1 (see section I, above). \n\n\nc) \t 4A-CI-OO-09-053 Recommendation 3\n     We recommend that the OllM Director ensure that CIS has adequate resources to\n     properly staff its IT Security and Privacy Group.\n\n   FY 2010 Status \n\n   This recommendation remains open and is rolled forwa rd as 4A-CI-OO-1 0-0 19 \n\n   Recommendation 2 (see section I, above). \n\n\nd) \t 4A-CI-OO-09-053 Recommendation 4\n\n   We recommend that CIS recruit a permanent Senior Agency Infonnation Security Officer\n   as soon as possible, and adequate staff to effectively managc the agency\'s IT security\n   program.\n\n\n\n\n                                            32 \n\n\x0c   FY 20 I 0 Status \n\n   The OCIO hired a pennanent Senior Agency Information Security Officer in FY 2010; \n\n   this recommendation is closed. \n\n\nFollow-up on recommendations issued in OIG Audit Report 4A-CI-00-09-031, "Federal\nInformation Security Management Act Audit - FY 2009"\n\na) \t 4A-CI-00-09-031 Recommendation I\n     We recommend that CIS conduct a survey ofOPM program offices (particularly the\n     Benefits Systems Group) to identify any systems that exist but do not appear on the\n     system inventory. The systems discovered during this survey should be promptly added\n     to the system inventory and certified and accredited.\n\n   FY 20 I 0 Status\n   The OCIO is in the process of conducting a survey of program offices to identify all\n   missing systems, but this assessment has not been completed. This recommendation\n   remains open and is rolled forward as Report 4A-CI-00-I 0-019 Recommendation 33.\n\n   Recommendation 33 (Roll-forward from OIG Report 4A-CI-OO-09-03J \n\n   Recommendation J) \n\n   We recommend that CIS conduct a survey of OPM program offices (particularly the\n   Benefits Systems Group) to identify any systems that exist but do not appear on the\n   system inventory. The systems discovered during this survey should be promptly added\n   to the system inventory and certified and accredited.\n\n   OCIO Response:\n   "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. A survey has been distributed to identify systems\n   used by OPM that might not be on the system inventory. The results ofthe survey will\n   be used to update that system inventory as necessary. "\n\nb) \t 4A-CI-00-09-031 Recommendation 2\n     We recommend that CIS develop and maintain an inventory of all system interfaces.\n\n   FY 20 10 Status \n\n   The OCIO\'s master system inventory now contains a listing of all known system \n\n   interfaces; this recommendation is closed. \n\n\nc) \t 4A-CI-00-09-031 Recommendation 3\n     We recommend that CIS develop a policy providing guidance on the development and\n     appropriate use ofMOUs and IS As.\n\n   FY 20 I 0 Status\n   The OCIO stated that the OPM Security and Privacy Policy addresses the use ofMOUs\n   and ISAs at OPM. Although this policy states that it "applies to other agencies\' systems\n   as delineated in memorandums of understanding (MOUs) and interconnection security\n\n\n                                          33\n\x0c   agreements (lSAs) with OPM," it does not provide guidance on the development and\n   appropriate use ofMOUs and ISAs. This recommendation remains open and is rolled\n   forward as Report 4A-CI-00-I0-019 Recommendation 34.\n\n   Recommendation 34 (Roll-forward from OIG Report 4A-CI-OO-09-03J\n   Recommendation 3)\n   We recommend that the OCIO develop a policy providing guidance on the development\n   and appropriate use ofMOUs and ISAs.\n\n   OCJO Response:\n   "The CIO does not concurs with this recommendation and believe that MOU and ISA\n   policies are documented in the IT Security and Privacy Handbook volume 2 that is\n   posted on THEO. The current MOUIISA policies will be enhanced as part of the\n   security policy update project. "\n\n   OIGReply:\n   The FY 2009 OIG FISMA audit report stated that:\n\n   "OPM\'s Information Security and Privacy Policy Volume 2 states that "this policy\n   applies to other agency\'s systems as delineated in memorandums ofunderstanding\n   (MOUs) and interconnection security agreements (ISAs) with OPM .. However. this\n   policy does not provide any guidance outlining the appropriate use ofMOUs and ISAs\n   (required elements ofthese agreements, when they are required, etc) . ..\n\n   The OCIO agreed to the recommendation to implement a policy providing guidance on\n   the development and appropriate use of MOUs and ISAs. Since no such policy was\n   published in FY 2010, this recommendation remains open.\n\nd) \t 4A-CI-00-09-031 Recommendation 4\n     We recommend that CIS conduct a survey to determine how many systems owned by\n     another agency are used by OPM.\n\n   FY 2010 Status\n   The OCIO is in the process of completing a survey to determine how many systems\n   owned by other agencies are used by OPM. However, this survey was not complete as of\n   September 30. 2010. This recommendation remains open and is rolled forward as Report\n   4A-CI-00-IO-019 Recommendation 35.\n\n   Recommendation 35 (Roll-forward from OIG Report 4A-CI-OO-09-03J\n   Recommendation 4)\n   We recommend that CIS conduct a survey to determine how many systems o\\\'med by\n   another agency are used by OPM.\n\n\n\n\n                                        34 \n\n\x0c   OCID Response:\n   "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. A survey has been distributed to program\n   offices 10 identify sy~ilenu ufJ\'ed by OPM Ihat might nol be on Ihe system im\xc2\xb7entory. The\n   results ofthe survey will be used to update that system inventory as necessary and to\n   determine other systems owned by other agencie.fi that are used by OPM."\n\ne) \t 4A-C1-00-09-031 Recommendation 5\n     We recommend that C IS develop a policy for adequately testing the security controls of\n     OPM\'s systems, and provide training to the Designated Security Officer (DSO)\n     community related to proper security control testing.\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forw ard as Report 4A-CI-00-1O-019\n   Recommendation 9 (see section III, above).\n\nf) \t 4A-CI-00-09-031 Recommendation 6 (Roll-Forward from OIG Repon 4A-CI-OO-OB-022\n     Recommendation I)\n   We recommend that OPM ensure that an annual test of sccurity\n\n\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forward as Report 4A\xc2\xb7CI-00-1O-019\n   Recommendation 10 (see section III. above).\n\ng) \t 4A-CI-00-09-031 Recommendation 7\n   We recommend that OPM develop detailed guidance related to developing and testing the\n   contingency plans of agency systems and provide training to the DSO community related\n   to proper contingency planning and contingency plan testing.\n\n    FY 2010 Status\n   Thi s recommendation remains open and is rolled forward to Report 4A-C I\xc2\xb7OO-1 0\xc2\xb7019\n   Recommendation 28 (see section XI, above).\n\nh) \t 4A-CI-00-09-031 Recommendation 8\n     We recommend that up-to-date contingency plans be developed for all agency systems.\n\n   FY 20 I 0 Status\n   This recommendation remains open and is rolled fonvard to Report 4A-CI-00-10\xc2\xb7019\n   Recommendation 29 (see sect ion XI. above).\n\ni) \t 4A\xc2\xb7 CJ\xc2\xb700\xc2\xb709-031 Recommendation 9 (Roll-Forward from (JIG Report 4A-CI-OO-OB-022\n   Recommendation 2)\n   We recommend that OPM\'s program offices test the contingency plans for each system\n   on an annual basis.\n\n\n                                           35\n\x0c   FY 2010 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-IO-019\n   Recommendation 30 (see section XI, above).\n\nj) \t 4A-CI-00-09-031 Recommendation 10\n     We recommend that OPM develop a policy providing guidance on providing adequate\n     oversight of contractor operated systems.\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19\n   Recommendation 32 (see section XII, above).\n\nk) \t 4A-CI-00-09-031 Recommendation II\n     We recommend that CIS publish the Plan of Action and Milestone Standard Operating\n     Procedure to THEO. Once the procedures have been published, CIS should work closely\n     with the DSO community, providing training and information-sharing sessions, to\n     implement the procedures and ensure that there is a clear understanding of the\n     appropriate management ofPOA&Ms.\n\n   FY 20 I 0 Status\n   Although the OCIO has published a POA&M Guide to THEO, adequate training has not\n   been provided to the DSO community. This recommendation remains open and is rolled\n   forward to Report 4A-CI-00-1O-019 Recommendation 17 (see section VII, above).\n\nI) \t 4A-CI-00-09-031 Recommendation 12 (Roll-Forward tram GIG Report 4A-CI-00-08\xc2\xad\n     022 Recommendation 4)\n     We recommend that OPM program offices incorporate all known IT security weaknesses\n     into POA&Ms.\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19\n   Recommendation 18 (see section VII, above).\n\nm) 4A-CI-00-09-031 Recommendation 13 (Roll-Forward tram GIG Report 4A-CJ-00-08\xc2\xad\n   022 Recommendations 5 and 6)\n   We recommend that an up-to-date POA&M exist for each system in OPM\'s inventory.\n   and that system owners submit updated POA&Ms to CIS on a quarterly basis.\n\n   FY 20 I 0 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I0-019\n   Recommendation 19 (see section VII, above).\n\n\n\n\n                                         36\n\x0cn) \t 4A-CI-00-09-03I Recommendation 14\n     We recommend that CIS develop a formal corrective action plan to immediately\n     remediate all POA&M weaknesses that are over 120 days overdue. In addition, we\n     recommend that CIS take a lead role in the future and work closely with OPM program\n     offices to ensure that POA&M completion dates are achieved.\n\n   FY 20 10 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19\n   Recommendation 20 (see section VII, above).\n\n0) \t 4A-CI-00-09-031 Recommendation IS\n     We recommend that the program offices responsible for the two systems in question\n     prioritize the system weaknesses listed on their POA&Ms.\n\n   FY 20 10 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-019\n   Recommendation 22 (see section VII, above).\n\np) \t 4A-CI-00-09-031 Recommendation 16 CRoll-Forward tram GIG Report 4A-CI-00-08\xc2\xad\n     022 Recommendation 9)\n     We recommend that all active systems in OPM\'s inventory have a complete and current\n     C&A.\n\n   FY 20 I 0 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19\n   Recommendation 5 (see section III, above).\n\nq) \t 4A-CI-00-09-031 Recommendation 17\n     We recommend that the FIPS Publication 199 security categorization be updated for the\n     inappropriately categorized system.\n\n   FY 20 I 0 Status\n   The FIPS Publication 199 security categorization has been corrected for the system in\n   question; this recommendation is closed.\n\nr) \t 4A-CI-00-09-031 Recommendation 18\n     We recommend that CIS update the PIA Guide to address all of the requirements of\n     OMS Memorandum M-03-22.\n\n   FY 20 10 Status \n\n   A new PIA Guide has been developed in compliance with OMS Memorandum M-03-22; \n\n   this recommendation is closed. \n\n\n\n\n\n                                          37 \n\n\x0cs) \t 4A-CI-00-09-031 Recommendation 19\n     We recommend that CIS conduct a new PIA survey to determine which OPM systems\n     require a PIA, including those systems that process sensitive information about\n     government employees and contractors.\n\n   FY 2010 Status\n   The OCIO has begun the process of helping program offices complete the PIA survey\n   that is part of the new PIA Guide. However, the surveys were not complete as of\n   September 30, 2010. This recommendation remains open and is rolled forward as Report\n   4A-CI-00-I 0-0 19 Recommendation 36.\n\n   Recommendation 36 (Roll-forward (rom DIG Report 4A-CI-00-09-031 \n\n   Recommendation 19) \n\n   We recommend that the OCIO conduct a new PIA survey to determine which OPM\n   systems require a PIA, including those systems that process sensitive information about\n   government employees and contractors.\n\n   DCID Response:\n   "The CID does not concur with this recommendation. A Privacy Threshold Analysis\n   documentation is performedfor each system to discover whether a PIA is required.\n   This is in accordance with NIST 800-122 recommendations."\n\n   OIG Reply:\n   We confirmed that a Privacy Threshold Analysis has been conducted for each system in\n   OPM\'s inventory. This recommendation is closed.\n\nt) \t 4A-CI-00-09-031 Recommendation 20\n     We recommend that a new PIA be conducted for the appropriate systems based on the\n     updated PIA Guide.\n\n   FY 2010 Status \n\n   The OCIO has begun the process of helping program offices complete new P1As. \n\n   However, the assessments were not complete as of September 30, 2010. This \n\n   recommendation remains open and is rolled forward as Report 4A-CI-00-I 0-019 \n\n   Recommendation 37. \n\n\n   Recommendation 37 (Roll-forward (rom DIG Report 4A-CI-00-09-03I \n\n   Recommendation 20) \n\n   We recommend that a new PIA be conducted for the appropriate systems based on the\n   updated PIA Guide.\n\n   DCID Response:\n   "The CID concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. The new PIA template was reviewed and\n\n\n                                          38\n\x0c   accepted by the OIG. We are informing DSO\'s that there are new requirements when\n   they submit their PIA\'s for review. The PIA submitted by the DSO is being updated\n   with the new questions required by the IG and returned to the DSO for completion.\n\n   The \'guide\' itself is being updated to reflect the new questions and will need to be\n   approved in DMS through the established directive process before it can be published\n   to the OPM.GOV and THEO websites."\n\nu) \t 4A-CI-00-09-031 Recommendation 21\n     We recommend that each system owner annually review the existing PIA for their system\n     to reevaluate current holdings of personally identifiable information (PII), and that they\n     submit evidence of the review to CIS.\n\n   FY 2010 Status\n   Each system owner is reviewing the PIA for their system as part of the process of\n   implementing the new PIA Guide. However, the assessments were not complete as of\n   September 30,2010. This recommendation remains open and is rolled forward as Report\n   4A-CI-00-IO-019 Recommendation 38.\n\n   Recommendation 38 (Roll-forward (rom OIG Report 4A-CI-OO-09-03J\n   Recommendation 21)\n   We recommend that each system owner annually review the existing PIA for their system\n   to reevaluate current holdings of PII. and that they submit evidence of the review to the\n   OCIO.\n\n   OCIO Response:\n   "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. System Owners are required to validate PTAs\n   annually. "\n\nv) \t 4A-CI-00-09-031 Recommendation 22 (Roll-Forward from DIG Report 4A-CI-00-08\xc2\xad\n     022 Recommendation 12)\n     We recommend that OPM continue its efforts to eliminate the unnecessary use of social\n     security numbers (SSNs) in accordance with OMB Memorandum M-07-16.\n\n   FY 2010 Status\n   The OCIO has developed a plan to eliminate the unnecessary use of SSNs, but does not\n   currently have the resources to execute the plan. The recommendation remains open and\n   will be rolled forward as Report 4A-CI-00-l 0-019 Recommendation 39.\n\n   Recommendation 39 (Roll-Forward (rom OIG Reports 4A-CI-OO-09-03J\n   Recommendation 22 and 4A-CI-OO-OB-022 Recommendation 12)\n   We recommend that OPM continue its efforts to eliminate the unnecessary use ofSSNs\n   in accordance with OMB Memorandum M-07-16.\n\n\n\n\n                                            39\n\x0c   OCIO Response:\n   "The CIO concurs with this recommendation and offers clarifying remarks in order to\n   present a more current interpretation. OPM currently does not have the funding to\n   effectively pursue the elimination of unnecessary use ofSSN\'s as stated in OMB\n   memorandum M-07-J6. Efforts are made when the unnecessary use ofSSN is\n   discovered in PTA and PIA documentation and efforts are explored with the program\n   office for alternatives. OPM does comply with the requirement to meet regularly with\n   other federal agencies on this effort."\n\nw) \t4A-CI-00-09-031 Recommendation 23\n    We recommend that OPM participate in government-wide efforts to explore alternatives\n    to agency use ofSSNs, as required by OMB Memorandum M-07-16.\n\n   FY 20 I 0 Status\n   The oro has been provided evidence that OPM participates in government-wide efforts\n   to explore alternatives to agency use of SSNs; this recommendation is closed.\n\nx) \t 4A-CI-00-09-031 Recommendation 24 CRoll-Fonmrd trom GIG Reports -IA-CI-00-08\xc2\xad\n     022 Recommendation 13. 4A-CI-OO-07-015 Recommendation 3. and 4A-CI-00-07-007\n     Recommendation 4 )\n     We recommend that CIS encrypt all data on all mobile computers containing sensitive\n     information.\n\n   FY 2010 Status\n   The oro has been provided evidence that the OCIO encrypts all data on all mobile\n   computers containing sensitive information; this recommendation is closed.\n\ny) \t 4A-CI-00-09-031 Recommendation 25\n     We recommend that OPM develop an up-to-date Security Configuration and Hardening\n     Policy, Patch Management Policy. and System Monitoring Policy.\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-019\n   Recommendation II (see section IV, above).\n\nz) \t 4A-CI-00-09-031 Recommendation 26 (Roll-Forward trom GIG Report 4A-CI-OO-08\xc2\xad\n   022 Recommendation 16)\n   We recommend that OPM implement FDCC compliant images on all OPM workstations.\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI -00-10-019\n   Recommendation 14 (see section IV, above).\n\naa) 4A-CI-00-09-031 Recommendation 27\n    We recommend that OPM incorporate Federal Acquisition Regulation 2007-004\n    language in all contracts related to common security settings.\n\n\n                                          40\n\x0c   FY 20 to Status \n\n   T he aClo ha<; taken steps towards incorporating Federal Acquisition Regulation 2007\xc2\xb7 \n\n   004 language in all contracts related to common security settings, but the language does \n\n   not yet appear in all contracts. The fonnatting of the new language is still in draft fonn. \n\n   The recommendation remains open and is rolled forward as Repon 4A-CI-OO-l 0-019 \n\n   Recommendation 40. \n\n\n   Recommendation 40 (Roll-Forward from OIG Report 4A-CI-OO-09-03J\n   Recommendation 27J\n   We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in\n   all contracts related to common security settings.\n\n   DClO Response:\n   "The CIO concurs with this recommendation. "\n\nbb) 4A-CI-OO-09-03 J Recommendation 28 (Roll-Forward from OIG Report 4A-CI-OO-08\xc2\xad\n    022 Recommendation) 5)\n    We recommend that in the event that                         cannot be remediated due to\n    a technical or business reason, the       owner ilio;u[d do,cmnco\' the reason in the\n    system\'s lSSP and formally accept any associated risks.\n\n\n                 vu lnerability in question has not been addressed as thi s database is currently\n   in    process of migrating to a new version o f _ This recom mendation remains\n   open and is rolled forward as Report 4A-CI-OO-I 0-019 Recommendation 41.\n\n   Recommendation 41 (R(}II-Forward from OIG Report... 4A-Cf-OO-09-03/ \n\n   Recommendation 28 and 4A-CI-OO-08-012 Recommendation IS) \n\n   We recommend that in the event that                        cannot be remediatcd due to\n   a technical or business reason, the       owner shc,u1d do,cmnem the reason in the\n   system\'s ISSP and fonnally accept any associated risks.\n\n   OCIO Response: \n\n   "The CIO concurs with Ihn recommendation." \n\n\ncc) 4A-Cl-OO-09-03 \\ Recommendation 29\n    We recommend that CIS determine which systems in its inventory are subject to e\xc2\xad\n    Authentication requirements and complete e-Authentication risk assessments for eaeh of\n    these systems.\n\n   FY 20 to Status \n\n   OPM\'s master system inventory appropriately ident ifies systems that arc subject to an e\xc2\xad \n\n   Authentication risk assessment; this recommendation is closed. \n\n\n\n\n                                            41\n\x0cdd) 4A-CI-00-09-031 Recommendation 30 (Roll-Forward from GIG Reports 4A-Cl-00-08\xc2\xad\n    022 Recommendation 19. 4A-CI-00-07-007 Recommendation 3 and 9. 4A-CI-00-07-015\n    Recommendation 1. and 4A-CI-00-06-0J6 Recommendation 6)\n    We recommend that CIS develop up-to-date and comprehensive IT security policies and\n    procedures, and publish these documents to THEO.\n\n   FY 2010 Status\n   This recommendation remains open and is rolled forward to Report 4A-CI-00-IO-019\n   Recommendation I (see section I, above).\n\n\n\n\n                                        42 \n\n\x0c                            Major Contributors to this Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Infonnation Systems Audil\'i Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\n\xe2\x80\xa2                     Senior Team Leader\n\n\xe2\x80\xa2                     Lead IT Auditor\n\n\xe2\x80\xa2                 IT Auditor\n\n\xe2\x80\xa2                     IT Auditor\n\n\xe2\x80\xa2                 IT Auditor\n\n\n\n\n                                              43 \n\n\x0c                                                                        Appendix I\n\n                                                       Status of Prior OIG Audit Recommendations\n\nThe tables below outline the current status of prior audit recommendations issued by the Office of the Inspector General.\n\nReport No. 4A-IS-00-05-026: Audit of IT Security Controls for the Electronic Questionnaire for Investigative Processing (e-QIP), issued\nJune 16, 2005\n                                                                                                                                                 ... \xc2\xad\n Rec#                        Orieinal Recommendation                                 Recommendation History                     Current Status\n             We recommend that FISO verify that only authorized users         Recommendation new in FY 2005. In FY\n                                                                                                                          OPEN - OPM Form 1665\n             have access to e-QIP and document and maintain on file           2009 FISO was in the process of updating\n   18                                                                                                                     has not been updated as of\n             authorizations for users, including administrators, operators,   OPM account access request form 1665 to\n                                                                                                                          September 30, 20 I 0\n             and developers.                                                  address this recommendation.\n\n\nReport No. 4A-CI-00-06-016: FY 2006 Federal Information Security Management Act Audit, issued September 22, 2006\n\n Rec#                        Orieinal Recommendation                                 Recommendation History                     Current Status\n                                                                              Recommendation new in FY 2006.\n             We recommend that the CIS/CIO develop and document a             Rolled-forward as Report 4A-CI-00-07\xc2\xad       OPEN - Rolled-forward as\n   6         formal process to promptly analyze new and existing              007 Recommendation 9, 4A-CI-00-08\xc2\xad          Report 4A-CI-00-1 0-019\n             guidance and update OPM\'s IT security policies and               022 Recommendation 19, and 4A-CI-00\xc2\xad        Recommendation I.\n             procedure according Iy.\n        .   __. _ .                                                           09-031 Recommendation 30 .\n\n\nReport No. 4A-CI-00-07-015: FY 2007 Audit of the Privacy Program at OPM, issued January 25,2007\n                                                                                                                      -c----.\n Rec#                        Orieinal Recommendation                                 Recommendation History                     Current Status\n             We recommend that OPM develop a comprehensive privacy            Recommendation new in FY 2007.              OPEN - Rolled-forward as\n   I         policy (or a series of policies), that addresses the required    Rolled-forward as Report 4A-CI-00-07\xc2\xad       Report 4A-CI-00-I 0-019\n             areas.                                                           007 Recommendation 3.                       Recommendation I.\n\x0c                                                                     Recommendation new in FY 2007.\n        We recommend that OPM continue its efforts to implement      Rolled-lorward as Report 4A-CI-00-07\xc2\xad\n   3    encryption capabilities on laptop computers and Blackberry   007 Recommendation 4, 4A-CI-OO-08\xc2\xad       CLOSED \n\n        mobile devices. \n                                            022 Recommendation 13. and 4A-CI-OO\xc2\xad\n                                                                     09\xc2\xb7031 Recommendation 24.\n                                                                     Recommendation new in FY 2007.\n                                                                     Rollcd-Iorward as Report 4A-CI-00-07\xc2\xad\n   4                                                                 007 Recommendation 4, 4A-CI-00-08\xc2\xad       CLOSED\n                                                                     022 Recommendation 13, and 4A-CI-OO\xc2\xad\n                                                                     09-031 Recommendation 24. \n\n        We recommend that OPM develop policies and procedures \n                                               OPEN - Rolled-forward as\n                                                                     Recommendation new in FY 2007.\n   7    for periodically monitoring the Agency intranet, network,                                             Rcporl4A-CI-OO-IO-OI9\n        and wcbsitcs for inadvertent rivac vulnerabilities,                                                   Recommendation 26.\n\n\nReport No. 4A-CI-OO-07-007: FY 2007 Federal Information Security Management Act Audit, issued September 18, 2007\n\n Rec#                   Ori2inal Recommendation                             Recommendation History                  Current Status\n                                                                     Rolled-forward/rom Report 4A-CI-OO\xc2\xad\n        We recommend that OPM\'s Plans and Policy Group               07\xc2\xb7015 Recommendation 1.                 OPEN - Rolled\xc2\xb7forward as\n   3    continue its efforts to develop an Agency\xc2\xb7wide privacy       Rolled lorward as Report 4A\xc2\xb7CI-OO\xc2\xb708\xc2\xb7    Reporl4A-CI-OO-IO-019\n        policy.                                                      022 Recommendation 19, and 4A-CI-OO \xc2\xad    Recommendation 1.\n                                                                     09-031 Recommendation }o.\n                                                                     Rolled-forward/rom Rcp()I1 4A-CI-OO-\n        We recommend that OPM continue its efforts to protect        70-015 Recommendation 3.\n   4    sensitive data by implementing technical controls in         Rolled-forward as Report 41\\-CI-00-08\xc2\xad   CLOSED\n        compliance with OMS Memorandum M-06-16.                      022 Recommendation 13, and 4A-CI\xc2\xb7OO\xc2\xad\n                                                                     09-031 Recommendation 24.\n                                                                     Rolled-forward/TlJm Report 4A-CI-OO\xc2\xad\n                                                                     06-016 Recommendation 6.                 OPEN - Rolled-forward as\n        We recommend that the CIS/CIO promptly update OPM \' s\n   9                                                                 Rollcd\xc2\xb7forward as Report 4A-CI-00-08\xc2\xad    Reporl4A-CI-OO-IO-OI9\n        IT security policies.\n                                                                     022 Recommendation 19, and FY 2009       Recommendation I.\n                                                                     4A-CI-OO-09-031 Recommendation 30.\n\n\n                                                                      2\n\n\x0cReport No. 4A-CI-00-08-022: FY 2008 Federal Information Security Management Act Audit, issued September 23, 2008\n\n Rec#                   Original Recommendation                 -\n                                                                              Recommendation Historv                 Current Status\n                                                                       Recommendation new in FY 2008.          OPEN - Rolled-forward as\n   I    We recommend that OPM ensure that an annual test of            Rolled-forward as Report 4A-CI-00-09\xc2\xad   Report 4A-CI-00-10-019\n        security controls has been completed for all systems.          031 Recommendation 6.                   Recommendation 10.\n                                                                       Recommendation new in FY 2008.          OPEN Rolled-forward as\n        We recommend that OPM\'s program offices test the\n   2                                                                   Rolled-forward as Report 4A-CI-00-09\xc2\xad   Report 4A-CI-00-l 0-0 I 9\n        contingency plans for each system on an annual basis.\n                                                                       031 Recommendation 9.                   Recommendation 30.\n                                                                      \'Recommendation new in FY 2008.          OPEN Rolled-forward as\n   4    We recommend that the program offices incorporate all          Rolled-forward as Report 4A-CI-00-09\xc2\xad   Report 4A-CI-00-l 0-019\n        known security weaknesses into the POA&Ms.                     031 Recommendation 12.                  Recommendation 18.\n                                                                       Recommendation new in FY 2008.          OPEN Rolled-forward as\n   5    We recommend that an up-to-date POA&M exist for each           Rolled-forward as Report 4A-CI-00-09\xc2\xad   Report 4A-CI-00-I 0-0 19\n        system in OPM\'s inventory.                                     031 Recommendation 13.                  Recommendation 19.\n                                                                       Recommendation new in FY 2008.          OPEN Rolled-forward as\n        We recommend that all program offices submit POA&Ms\n   6                                                                   Rolled-forward as Report 4A-CI-00-09\xc2\xad   Report 4A-CI-00-I 0-0 19\n        to the CIS/CIO oftice on a quarterly basis.\n                                                                       031 Recommendation 13.                  Recommendation 19.\n        We recommend that the CIS/CIO take the appropriate steps       Recommendation new in FY 2008.          OPEN - Rolled-forward as\n   9    to ensure that all active systems in OPM\'s inventory have a    Rolled-forward as Report 4A-CI-00-09\xc2\xad   Report 4A-CI-00-10-019\n        complete and current C&A.                                      031 Recommendation 16.                  Recommendation 5.\n        We recommend that OPM continue its efforts to reduce the      Recommendation new in FY 2008.           OPEN - Rolled-forward as\n  12    use of SSNs and develop a formal plan to eliminate the        Rolled-forward as Report 4A-CI-00-09\xc2\xad    Report 4A-CI-00-10-019\n        unnecessary collection and use of SSNs within 18 months in    031 Recommendation 22.                   Recommendation 39.\n        accordance with OMB M-07-16.\n                                                                      Rolled-forward/rom Report 4A-CI-00\xc2\xad\n        We recommend that OPM continue its efforts to implement\n                                                                      07-007 Recommendation 4 and 4A-CI-00\xc2\xad\n        a solution to automatically encrypt all data on mobile\n  13                                                                  07-015 Recommendation 3. Rolled          CLOSED\n        computers/devices carrying agency data unless the data is\n                                                                      forward as Report 4A-CI-00-09-031\n        determined not to be sensitive.\n                                                                      Recommendation 24.\n\n\n\n                                                                       3\n\n\x0c         We\n         a manner consistent with OPM\'s \n\n         Policy. Each of the vulnerabilities       in \n\n                                                                             Recommendation new in FY 2008.            OPEN   ~   Rolled-forward as\n         audil inquiry should be lonnally documented, itemized, and\n  15                                                                         Rolled-forward as Report 4A-CI-OO-09\xc2\xad     Report 4A-CI-00-1O-019\n         prioritized in a POA&M. In the event that a vulnerability\n                                                                             031 Recommendation 28.                    Recommendation 41 .\n         cannot be remediated due to a technical or business reason, \n\n         the supported system\'s owner should document the [cason \n\n         in the         ISSP to                     \' associated ri sks. \n\n                                                                                              new                                                  as\n         We recommend that aPM continue its efforts to implemem\n  16                                                                         Rolled-forward as Report . 4A-CI-OO-09\xc2\xad   Report 4A-CI-00-I 0-0 19\n         all required elements of the FDCC.\n                                                                             031 Recommendation\n\n                                                                             07-007 Recommendation 3 and 9, 4A-CI \xc2\xad\n                                                                                                                       OPEN - Rolled-forward as\n         We recommend that the CIS/CIO promptly update OPM \'s                00-07-015 Recommendation 1, and 4A\xc2\xad\n  19                                                                                                                   Report 4A -CI -00- I0-019\n         IT sec urity policies and publish them to THEO.                     CI-00-06-0 I6 Recommendation 6.\n                                                                                                                       Recommendation I.\n                                                                             Rolled-forward as Report 4A-CJ-00-09\xc2\xad\n\n\n\n\nReport No. 4A-CI-OO-09-0S3:     (4~lash   Audit Alert -Information Technology Security Program at the U.S. Office of Personnel Management.\nissued May 27,2009\n\n FY             Flash Audit Alert Original Recommendation                           Recommendation Histon.:                   Cnrrent Status\nRec ;;\n         We recommend that CIS correct the FY 2009 second quarter\n  1      FISMA rcport to accurately rencct the status ofOPM\'s IT             Recommendation new in FY 2009.            CLOSED\n         security position as of March 1, 2009.\n\n         We recommend that CIS dewlap a comprehens ive set of IT                                                       OPEN - Rolled-forward as\n  2      security policies and procedures, and a plan for updating it at     Recommendation new in FY 2009.            Report 4A-CI-OO-I 0-0 19\n         least annually.                                                                                               Recommendation t.\n\n  3      We recommend that the OPM Director ensure that OS has               Recommendation new in FY 2009.            OPEN - Rolled-forward as\n\n\n                                                                              4\n\n\x0c        adequate resources to properly staff its IT Security and                                             Report 4A-CI-00-l 0-019\n        Privacy Group.                                                                                       Recommendation 2.\n                                                                                                            ..                      -\xc2\xad\n        We recommend that CIS recruit a permanent Senior Agency\n        Information Security Officer as soon as possible, and\n  4                                                                     Recommendation new in FY 2009.          CLOSED\n        adequate staff to effectively manage the agency\'s IT security\n        program.\n\n\nReport No. 4A-HR-00-09-033: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management\'s\nEnterprise Human Resources Integration Data Warehouse FY 2009, issued June 1,2009\n\n Rec#                Oril!inal Recommendation                                 Recommendation History                Current Status\n        We recommend that HRLOB routinely audit active\n   1                                                                    Recommendation new in FY 2009.          CLOSED\n        EHRlDW user accounts for appropriateness.\n\n\nReport No. 4A-CI-00-09-0S2: Audit of the Information Technology Security Controls of the V.S. Office of Personnel Management\'s\nIntegrated Security Management System, issued August to, 2009\n\nRec#                      Oril!inal Recommendation                            Recommendation History                Current Status\n 1      We recommend that CSEA continue to develop and\n        improve the ISMS contingency plan. This includes, but is\n        not limited to, adding specific and detailed steps to the\n                                                                        Recommendation new in FY 2009.\n        recovery procedures and assigning specific individuals to                                               CLOSED\n        the various recovery teams. CSEA should conduct another\n        test of the contingency plan alier the plan has been\n        moditied.                                                                                                                    -\xc2\xad\n  2     We recommend that ISMS edit its POA&M template to               Recommendation new in FY 2009.\n                                                                                                                CLOSED\n        facilitate the prioritization of weaknesses.                                                     .._.\n  3     We recommend that CSEA expand the ISMS audit\n                                                                        Recommendation new in FY 2009.\n        procedures to include a process for reviewing the activities                                            CLOSED\n        of the system administrator.\n\n\n\n\n                                                                         5\n\n\x0c  4    We recommend that CSEA disable all shared user accounts\n                                                                       Recommendation new in FY 2009.\n       for ISMS, and enforce the use of individual accounts for all                                     CLOSED\n       users.\n  5    We recommend that CSEA document a baseline\n       configuration for ISMS\'s application level settings and         Recommendation new in FY 2009.\n                                                                                                        CLOSED\n       develop procedures for requesting and approving changes to\n       these settings.\n  6    We recommend that CSEA have all ISMS users sign the             Recommendation new in FY 2009.\n                                                                                                        CLOSED\n       rules of behavior document.\n\n\nReport No. 4A-CI-00-09-031: FY 2009 Federal Information Security Management Act Audit, issued November 4, 2009\n\n FY                    Original Recommendation                                Recommendation HistoD:         Current Status\nRec#\n       We recommend that CIS conduct a survey ofOPM program\n       offices (particularly the Benefits Systems Group) to identify\n                                                                                                        OPEN - Rolled-forward as\n       any systems that exist but do not appear on the system          Recommendation new in FY 2009.\n  I                                                                                                     Report 4A-CI-00-l 0-019\n       inventory. The systems discovered during this survey should\n                                                                                                        Recommendation 33.\n       be prompt! y added to the system inventory and certified and\n       accredited.\n       We recommend that CIS develop and maintain an inventory         Recommendation new in FY 2009.\n  2                                                                                                     CLOSED\n       of all system interfaces.\n       We recommend that CIS develop a policy providing                                                 OPEN - Rolled-forward as\n                                                                       Recommendation new in FY 2009.\n  3    guidance on the development and appropriate use of MOUs                                          Report 4A-CI-00-l 0-019\n       and ISAs.                                                                                        Recommendation 34.      -\xc2\xad\n                                                                                                        OPEN - Rolled-forward as\n       We recommend that CIS conduct a survey to determine how         Recommendation new in FY 2009.\n  4                                                                                                     Report 4A-CI-00-l 0-019\n       many systems owned by another agency are used by OPM.\n                                                                                                        Recommendation 35.\n       We recommend that CIS develop a policy for adequately\n                                                                                                        OPEN - Rolled-forward as\n       testing the security controls ofOPM\'s systems, and provide      Recommendation new in FY 2009.\n  5                                                                                                     Report 4A-CI-00-\\ 0-0\\9\n       training to the Designated Security Otftcer (DSO)\n                                                                                                        Recommendation 9.\n       community related to proper security control testing.\n\n\n                                                                        6\n\n\x0c     We recommend that OPM ensure that an annual test of\n                                                                                                           OPEN - Rolled-forward as\n     security controls has been completed for all systems. The IT   Rolled-forward from Report 4A-CI-00\xc2\xad\n6                                                                                                          Report 4A-CI-00-1O-019\n     security controls should be immediately tested for the two     08-022 Recommendation 1.\n                                                                                                           Recommendation 10.\n     systems that were not subject to testing in FY 2009.\n     We recommend that OPM develop detailed guidance related\n                                                                                                           OPEN - Rolled-forward as\n     to developing and testing the contingency plans of agency\n7                                                                   Recommendation new in FY 2009.         Report 4A-CI-00-I 0-019\n     systems and provide training to the DSO community related\n                                                                                                           Recommendation 28.\n     to proper contingency planning and contingency plan testing.\n                                                                                                           OPEN - Rolled-forward as\n     We recommend that up-to-date contingency plans be\n8                                                                   Recommendation new in FY 2009.         Report 4A-CI-00-1O-019\n     developed for all agency systems.\n                                                                                                           Recommendation 29.\n     We recommend that OPM\'s program offices test the\n                                                                                                           OPEN - Rolled-forward as\n     contingency plans for each system on an annual basis. The      Rolled-forward from Report 4A-CI-00\xc2\xad\n9                                                                                                          Report 4A-CI-00-IO-019\n     contingency plans should be immediately tested for the II      08-022 Recommendation 2.\n                                                                                                           Recommendation 30.\n     systems that were not subject to testing in FY 2009.\n     We recommend that OPM develop a policy providing                                                      OPEN - Rolled-forward as\n                                                                    Recommendation new in FY 2009.         Report 4A-CI-00-IO-019\n10   guidance on providing adequate oversight of contractor\n     operated systems.                                                                                     Recommendation 32.\n     We recommend that CIS publish the Plan of Action and\n     Milestone Standard Operating Procedure to THEO. Once\n     the procedures have been published, CIS should work                                                   OPEN - Rolled-forward as\n                                                                    Recommendation new in FY 2009.\n11   closely with the DSO community, providing training and                                                Report 4A-CI-00-1O-019\n     information-sharing sessions, to implement the procedures                                             Recommendation 17.\n     and ensure that there is a clear understanding of the\n     appropriate management of POA&Ms.\n                                                                                                           OPEN - Rolled-forward as\n     We recommend that OPM program offices incorporate all          Rolled-forward from Report 4A-CI-00\xc2\xad\n12                                                                                                         Report 4A-CI-00-IO-019\n     known IT security weaknesses into POA&Ms.                      08-022 Recommendation 4.\n                                                                                                           Recommendation 18.\n\n     We recommend that an up-to-date POA&M exist for each                                                  OPEN - Rolled-forward as\n                                                                    Rolled-forward from Report 4A-CI-OO\xc2\xad\n13   system in OPM\'s inventory, and that system owners submit                                              Report 4A-CI-00-1O-019\n                                                                    08-022 Recommendations 5 and 6.\n     updated POA&Ms to CIS on a quarterly basis.                                                           Recommendation 19.\n\n\n\n                                                                     7\n\n\x0c     We recommend that CIS develop a formal corrective action\n     plan to immediately remediate all POA&M weaknesses that\n                                                                                                           OPEN - Rolled-forward as\n     are over 120 days overdue. In addition, we recommend that      Recommendation new in FY 2009.\n14                                                                                                         Report 4A-CI-00-I 0-019\n     CIS take a lead role in the future and work closely with\n                                                                                                           Recommendation 20.\n     OPM program offices to ensure that POA&M completion\n     dates are achieved.\n     We recommend that the program offices responsible for the                                             OPEN - Rolled-forward as\n                                                                    Recommendation new in FY 2009.\nIS   two systems in question prioritize the system weaknesses                                              Report 4A-CI-00-I 0-019\n     listed on their POA&Ms.                                                                               Recommendation 22.\n                                                                                                           OPEN - Rolled-forward as\n     We recommend that all active systems in OPM\'s inventory        Rolled-forward from Report 4A-CI-00\xc2\xad\n16                                                                                                         Report 4A-CI-00-IO-019\n     have a complete and current C&A.                               08-022 Recommendation 9.\n                                                                                                           Recommendation 5.\n     We recommend that the FIPS Publication 199 security\n                                                                    Recommendation new in FY 2009.\n17   categorization be updated for the inappropriately                                                     CLOSED\n     categorized system.\n     We recommend that CIS update the PIA Guide to address          Recommendation new in FY 2009.\n18                                                                                                         CLOSED\n     all of the requirements ofOMB Memorandum M-03-22.\n                                                                                                           CLOSED - Rolled-forward\n     We recommend that CIS conduct a new PIA survey to\n                                                                                                           as Report 4A-CI-00-I 0-019\n     determine which OPM systems require a PIA, including           Recommendation new in FY 2009.\n19                                                                                                         Recommendation 36, but\n     those systems that process sensitive information about\n                                                                                                           closed due to response from\n     government employees and contractors.\n                                                                                                           draft report.\n                                                                                                           OPEN - Rolled-forward as\n     We recommend that a new PIA be conducted for the               Recommendation new in FY 2009.\n20                                                                                                         Report 4A-CI-00-1O-019\n     appropriate systems based on the updated PIA Guide.\n                                                                                                           Recommendation 37.\n     We recommend that each system owner annually review the                                               OPEN - Rolled-forward as\n                                                                    Recommendation new in FY 2009.\n21   existing PIA for their system to reevaluate current holdings                                          Report 4A-CI-00-1O-019\n     of PII, and that they submit evidence of the review to CIS.                                           Recommendation 38.\n     We recommend that OPM continue its efforts to eliminate                                               OPEN - Rolled-forward as\n                                                                    Rolled-forward from Report 4A-CI-00\xc2\xad\n22   the unnecessary use of SSNs in accordance with OMB                                                    Report 4A-CI-00-l 0-0 19\n                                                                    08-022 Recommendation 12.\n     Memorandum M-07-16.                                                                                   Recommendation 39.\n     We recommend that OPM participate in government-wide\n23                                                                  Recommendation new in FY 2009.         CLOSED\n     efforts to explore alternatives to agency use ofSSNs, as\n\n\n                                                                     8\n\n\x0c     required by OMB Memorandum M-07-16.\n                                                                  Rolled-forward from Report 4A-CI-00\xc2\xad\n     We recommend that CIS encrypt all data on all mobile         07-007 Recommendation 4, 4A-CI-OO-07\xc2\xad\n24                                                                                                        CLOSED\n     computers containing sensitive infonnation.                  015 Recommendation 3, and Report 4A\xc2\xad\n                                                                  CI-OO-OS-022 Recommendation 13.\n     We recommend that OPM develop an up-to-date Security                                                 OPEN - Rolled-forward as\n25   Configuration and Hardening Policy, Patch Management         Recommendation new in FY 2009.          Report 4A-CI-00- 10-0 I 9\n     Policy, and System Monitoring I\'olicy.                                                               Recommendation II.\n                                                                                                          OPEN - Rolled-rorward as\n     We recommend that OPM implement FDCC compliant               Rolled-forward from Report 4A-CI-OO\xc2\xad\n26                                                                                                        Report 41\\-CI-00- I 0-0 I9\n     images on all OPM workstations.                              08-022 Recommendation 16.\n                                                                                                          Recommendation 14.\n     We recommend thaI OPM incorporate Federal Acquisition                                                OPEN - Rolled-forward as\n27   Regulation 2007-004 language in all contracts related to     Recommendation new in FY 2009.          Report 4A-CI-00-1O-019\n     common security settin~ls.                                                                           Recommendation 40.\n     We recommend that in lhc event that a n _\n     vulnerability cannot be rcmediated due to a technical or                                             OPEN - Rolled-Iorward as\n                                                                  Rolled-forward from Report 4A-CI-00\xc2\xad\n28   business reason, the system \' s owner should document the                                            Report 4A-CI -00-10-019\n                                                                  08-022 Recommendation 15.\n     reason in the system\'s ISSP and formally accept any                                                  Recommendation 41.\n     associated risks .\n     We recommend that CIS detenninc which systems in its\n     inventory are subject to e-Authentication requirements and\n29                                                                Recommendation new in FY 2009.          CLOSED\n     complete e-Authemication risk assessments for each of\n     these systems.\n                                                                  Rolled-forward from Repon 4A-CI -00\xc2\xad\n                                                                  06-016 Recommendation 6, 4A-CI-00-07\xc2\xad\n     We recommend that CIS develop up-to-date and                                                         OPEN - Rolled-forward as\n                                                                  007 Recommendation 3 and\n30   comprehensive IT security policies and procedures, and                                               Report 4A-CI-00-I 0-0 19\n                                                                  Recommendation 9, 4A-CI-OO-07-015\n     publish these documents to TIIEO.                                                                    Recommendation I.\n                                                                  Recommendation 1, and 4A-CI-OO-08-022\n                                                                  Recommendation 19.\n\n\n\n\n                                                                   9\n\n\x0c                                          Appendix"\n\n\n\n\n                    UNITED STATES OffICE OF PERSONNEL MANAGEMENT\n                                           Wll!ihinglon, DC 20415\n\n\n\n\nMEMORANDUM\n                               ini\'Oi:m.iiiOnS;:;;ems Audit Group\n\n                         MATTHEW E. PERRY\n                         Chief Infonnation Officer\n                                                         .~?~  10/1> 7/.;...010\n\nSubject:                 Response to the Federa11nformation Security Management Act Audit \xc2\xad\n                             FY2OJO, Report NO. 4A-CI-OO-JO-019\n\n\nThank you for the opportunity to comment on the subject report. The results provided in the draft report\nconsist of a number of recommendations. The recommendations arc vaJuablc to our prognm\nimprovement efforts and most of them are generally consistent with our plan.\n\nOIG Re4:0mmead.tioa,,:\n\nBec:ommmdatioa 1 (RoY-Forwllrt/ (rom ole RuP" 4A.c1-lJO..lJUJI RecolftllfDldatitm 10, 4A-Cl\xc2\xad\ntHJ..IJH22 RtctntyttptdptUHr 19, Ad 1A-CI..fJHHU R\xc2\xabOIftIfKlldqtion 2)\nWe reeommeod tbat CIS develop up--to\xc2\xb7\xc2\xb74:t.te aDd compreheDsive IT Hcarity policies aDd\nprocedures, and publish these documeots to THEO, aDd. plao for updatiDg them at least\nanDuaUy.\n\n\'me CIO concurs with this recommendation and offers clarifying remarks in order to present a more\ncurrent interpretation of the status of the IT security policies and procedures. The IT security and\nprivacy policy volumes 1 and volume 2 were last updated and posted on ll-lEQ in August 2009. The\nCIO understands that additional policy updates art required to comply with guidance issued by NIST\nduring the last year and to address some deficiencies in the current policies. The Bureau of the Public\nDebt (BPD) has been retained through an lnteragco\\.-y Agreement to update and to bring IT Security and\nPrivacy policies into OPM and FJSMA compliance. A kickoff meeting was held for this project on\nSeptember 2010 and BPD is expected to be on site to conect policy requirements during the next 60\ndays. A comprehensive IT security and Privacy handbook is expected to be completed in FY20 11.\n\nThis recommendation also cited the need for procedures and a number of procedures were created or\nupdated and posted on 11IEO in 200912010 including:\n\n   \xe2\x80\xa2   Certification and Accreditation Guide (July 2009)\n   \xe2\x80\xa2   Incident Response and Reporting Guide (July 2009)\n   \xe2\x80\xa2   LAN Complex Passwords (June 2009)\n   \xe2\x80\xa2   OPM Computer User Responsibilities (June 2009)\n\x0c   \xe2\x80\xa2 \t Plan of Action and Milestone (POA&M Standard Operating Procedure (September 2009)\n   \xe2\x80\xa2 \t Process for Analyzing New and Emerging Infonnation Security and Privacy \n\n       Requirements (July 2009) \n\n   \xe2\x80\xa2 \t System Access Authorization Procedure (July 2009)\n   \xe2\x80\xa2 \t Privacy Impact Assessment (PIA) Guide (April 20 I 0)\n   \xe2\x80\xa2 \t System o f Records Notice (SORN) Guide (April 2010)\n\nThe CIO believes that the above procedures have enhanced IT security and privacy at OPM and\nunderstands that additional work needs to be done to develop new procedures and to enhance\nexisting ones as necessary . Current procedures wilt be revi sited and additional ones will be\ndeveloped in FY201 I as necessary.\n\nReeommendation 2 (Roll-forward [rom OIG Rep,}rt 4A-CI-OO-09-053 Recommendati\'m 3)\nWe recommend tbat tbe OPM Director ensure that CIO has adequate resourees to\npropcrl~\' staff its IT Seeurity and Privacy Group.\n\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation of the staffing situation in the IT Secunty and Privacy Group. During\nthe past five months, a Senior Agency Tnfo nnation Security Officer has being hired and the staff\ncomplement in the security and privacy group has increased from _              FTEs along with\ncontractor resources as needed . Recognizing that additional staff resources are needed. the CIO\nbelieves that incremental progress is being made in this area.\n\nRecommendation 3\nWe recommend that CIO develop and implement an active strategy to maintain up-to-date\ninformation regarding OPM\'s master system inventory.\n\nThe CIO concurs v.ith thi s recommendation and has already taken steps thro ugh the issuance of\na data call to the IT Securi ty Working Group on September 8, 20 10 to identify systems used by\nOPM that are not on the FISMA system inventory . The CIa has also initiated an internal review\nto detennine if applications werc inappropriately bundled into other larger systems as previously\nreported in prior audit findings. Additional system s idenlified from the data call and internal\nsystem review will be evaluated for addition to the master system inventory.\n\nRecommendation 4\nWe recommend tbat OPM implement a centralized information securit)\' governance\nstructure where all information security practitioners, including designated seeurity\nofficers, report to the Senior Agency Information Seeurity Official. Adequate resources\n\x0cshould be assigned to the OCIO to create this structure. Existing designated security\nofficers who report to their program offices should return to their program office duties.\nThe new staff that reports to the SAISO should consist of experienced information security\nprofessionals.\n\nThe CIO concurs with this recommendation. The overall IT security governance at OPM can be\nimproved by implementing a centralized information security governance structure consisting of\nIT security professionals.\n\n\nRecommendation 5 (Roll-Forward from DIG Report No. 4A-CI-OO-09-03J Recommendation\nl..\xc2\xa7l\nWe recommend that all active systems in OPM\'s inventory have a complete and current\nC&A.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. Program offices are responsible for the security and C&A of their\nsystems. C&As are often contracted to various entities that employ different styles in preparing\nthe final packages and this explains why all C&A packages do not look alike. The CIO believes\nthat all completed C&A packages must properly address required security controls and contain\nrequired artifacts per the OPM C&A Guide, and that the look and feel of packages is a reflection\nof the various sources contracted by the program offices to complete the packages.\n\nRegarding, the six systems with expired C&A, the CIO agrees that all production systems should\nhave a current C&A. However, the OPM procurement process can be lengthy depending on\nworkload has an effect on getting contracts and interagency agreements for C&A in place. The\nextended Authority to Operate for the six systems was issued in support of OPM mission support\nactivities.\n\nRecommendation 6\nWe recommend that CIO develop a risk assessment policy to provide guidance to program\noffices conducting a risk assessment as part of the C&A process.\n\nThe CIO does not concur with this recommendation. Risk assessment policies are documented\nin the current IT security and Privacy policy volume 2 that is posted on THEO. However, risk\nassessment policy will be revisited and updated in the new IT Security policy updates that BPD\nhas been retained to complete.\n\x0cRecommendation 7\nWe recommend that CIO develop an ISSP policy to provide guidance to program offices\ndeveloping a security plan as part of the C&A process.\n\nThe CIO does not concur with this recommendation. Information Systems Security Plan policies\nare documented in the current IT security and Privacy policy volume 2 that is posted on THEO.\nThe policies also references NIST security plan templates that can be used to build a security\nplan. However. IT security plans policy will be updated to provide additional as part of the BPD\npolicy update project.\n\nRegarding the review of C&A packages, two full time resources have been hired to review C&A\npackages and to provide guidance to the DSO community. One of these resources is already\nonboard and the second is expected to start work after completing the necessary new employee\nonboarding procedures.\n\nRecommendation 8\nWe recommend that CIO assign additional resources to facilitate the C&A process to\nensure the consistency and quality of C&A packages developed by OPM program offices.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO has doubled the number of full time resources assigned to\nthe C&A program and this increase in resources will improve the quality of C&A packages.\nC&A packages found to be of poor quality are being returned to for rework for correction of\ndeficiencies.\n\nRecommendation 9 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J Recommendation\nJl\nWe recommend that CIS develop a policy for adequately testing the security controls of\nOPM\'s systems, and provide training to the DSO community related to proper security\ncontrol testing.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The Information Security and Privacy Policy Volume 1 requires\nsecurity controls to be Periodically assessed and CIO security staff works with the DSO\ncommunity on annual testing efforts including keeping track of the number of systems that have\ntested their security controls. We will enhance the current security policy in the security\n\x0chandbook that is under development and provide additional guidance to DSOs to enhance the\ntesting of security controls.\n\n\nRecommendation 10 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J Recommendation\n6 and Report 4A-CI-OO-08-022 Recommendation J)\nWe recommend that OPM ensure that an annual test of security controls has been\ncompleted for all systems.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO staff continues works with the DSO community to ensure\nthat security controls have been tested for all systems. The CIO security staff sends out a\nreminder to all DSOs each month informing them to complete required security controls testing\nand assist with technical guidance. We will continue to work with the DSO community and\nescalate systems where security controls have not been tested to the associated director in the\nspecific business area.\n\nRecommendation 11 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J Recommendation\nm\nWe recommend that CIO develop and publish to THEO an up-to-date Patch Management\nPolicy.\n\nThe CIO does not concur with this recommendation. The OPM ISPP details the high level patch\n(flaw remediation) requirements and agency policy. (See ISPP Volume 2. page 71.800-53 rev 3\nControl SI-2). Low level procedures exist and are utilized by the Network Management\nadministrators to patch desktops and servers. Ongoing improvements to the patch management\nprocess are being tested and implemented as new tools and processes become available. Current\ninitiatives include procurement requests for enterprise-wide patch and vulnerability management\ntools (Big Fix and Window SUS) scheduled for implementation in FY 2011.\n\nRecommendation 12 \n\nWe recommend that CIO develop a single centralized agency-wide hardware inventory. \n\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. Network Management is actively implementing a centralized\nagency-wide automated hardware inventory tracking system. Asset tags are being applied to all\naccountable IT assets and pending procurements for scanning equipment are expected to quickly\nbring the outstanding inventory under control. Daily and weekly automated inventory reports are\nnow being produced and internal audits of the process will begin this quarter.\n\nRecommendation 13\n\x0cWe recommend that CIO develop and implement a strategy for using automated\ntechniques for tracking hardware inventory.\n\nThe CIO concurs with this recommendation. \n\nRecommendation 14 (Roll-Forward from OIG Report 4A-CI-OO-09-031 Recommendation 26 \n\nand Report 4A-CI-OO-08-022 Recommendation 16) \n\nWe recommend that CIO implement FnCC compliant images on all OPM workstations.\n\nThe CIO concurs with this recommendation and offers the following clarifying remarks: An\nFDCC workstation baseline image has been created and is currently being deployed. All new\nworkstations and all agency laptops are currently secured utilizing an FDCC (USGBC)\ncompliant image. The FDCC image has been rolled out to 1200 laptops and 800 desktops as of\nthis date. Image deployment and enforcement of the legacy workstations is currently an active\nproject and is being pushed through domain GPO. The addition of workstations occurs daily and\nis scheduled to have full completion by the end of the first quarter of FY 2011. Part of the delay\nin implementation was due to working with the union to assess the impact on employees.\n\nRecommendation 15\nWe recommend that CIO improve the spreadsheet used to track security training to\ninclude a job function/responsibility for each individual that directly maps to the table\ncontaining training requirements.\n\nThe CIO concurs with this recommendation and believes that the current spreadsheet used to\ntrack specialized security training can be improved. We will update the spreadsheet to include\njob function and responsibility for each individual that maps to the table containing training\nrequirements.\n\nRecommendation 16\nWe recommend that CIO ensure that all employees with significant information security\nresponsibility take meaningful and appropriate specialized security training on an annual\nbasis.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The ClO believes that many employees are already taking\nmeaningful and appropriate specialized training such as specialized courses offered through\noutside training providers. IT security conferences and other sources. However, OPM has\ncontracted with Skills Soft to provide online training to employees at no additional cost. The\nCIO believes that the security courses available online through Skill Soft such as CISSP prep\ncourses among others will be sufficient to meet the specialized training requirements.\n\x0cRecommendation 17 (Roll-Forward (rom OIG Report 4A-CI-OO-09-031 Recommendation 11)\nWe recommend that CIO work closely with the DSO community, providing training and\ninformation-sharing sessions, to implement the procedures and ensure that there is a clear\nunderstanding of the appropriate management of POA&Ms.\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO is working closely with the DSO community on training\nand information sharing activities through the IT Security Working Group (ITSWG) that is\nfacilitated by the Senior Agency Information Security Officer monthly. During FYIO we\nprovided training on contingency plan testing. common security controls and POA&M\nmanagement in addition to other areas. The CIO believes that this type of training is beneficial\nto the DSOs and for maintaining the OPM IT Security program and will continue to provide\ntraining and information sharing sessions through the ITSWG. The CIO will encourage all DSOs\nto take advantage of specialized training opportunities through the OPM Skill Soft program.\n\nRecommendation 18 (Roll-Forward (rom OIG Report 4A-CI-OO-09-031 Recommendation 12\nand OIG Report 4A-CI-OO-08-022 Recommendation 41\nWe recommend that OPM program offices incorporate all known IT security weaknesses\ninto POA&Ms.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO has dedicated multiple resources to ensure that all IT\nsecurity weaknesses are incorporated into POA&Ms and has implemented safeguards to ensure\naccuracy. The CIO will continue to improve the POA&M management process.\n\nRecommendation 19 CRoll-Forward (rom OIG Report 4A-CI-OO-09-031 Recommendation 13\nand 4A-CI-OO-08-022 Recommendations 5 and 61\nWe recommend that an up-to-date POA&M exist for each system in OPM\'s inventory, and\nthat system owners submit updated POA&Ms to CIS on a quarterly basis.\n\nThe CIO does not concur with this recommendation. The CIO believes that up-to-date\nPOA&Ms are in place for the systems on the OPM inventory and this is evident by a 100%\ncompliance rate for Quarters 3 and 4 ofFYIO. The CIO believes that this recommendation\nfocused on a period prior to Quarter 3 of FY I O.\n\x0cRecommendation 20 (Roll-Forward {rom DIG Report 4A-CI-OO-09-03I Recommendation 141\nWe recommend that CIS develop a formal corrective action plan to immediately remediate\nall POA&M weaknesses that are over 120 days overdue. In addition, we recommend that\nCIS take a lead role in the future and work closely with OPM program offices to ensure\nthat POA&M completion dates are achieved.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO agrees that an action plan to remediate POA&M\nweaknesses that are over 120 day is appropriate and will take steps to develop the action plan.\nHowever, the CIO does not agree that all POA&Ms that are over 120 days can be remediated\nimmediately because the resolution to some of these POA&MS are beyond OPM\'s controls and\nrequire the cooperation of other stakeholders outside of OPM such as other Federal agencies.\nMany of these agencies for example have not implemented two factor authentication for various\nreasons including financial and this will prevent closure of certain POA&Ms that are over 120\ndays. The CIO will make every effort to assess and remediate as many of these POA&Ms as\npossible.\n\nRecommendation 21\nWe recommend that CIO verify that adequate proof of closure documentation exists for\nremediated weaknesses before allowing the program office to close POA&M items.\n\nThe CIO does not concur with this recommendation. The POA&M management team in the\nSecurity and Privacy Group verifies that all POA&Ms submitted by Program Offices have\nadequate supporting evidence to close the POA&M and ensures that a proof of closure form is\ncompleted for each POA&M before closure takes place. Request to close POA&Ms with\nadequate documentation or completed proof of closure forms are returned to the sender.\n\nRecommendation 22 (Roll-Forward {rom DIG Report 4A-CI-OO-09-031 Recommendation 151\nWe recommend that the program offices responsible for the LANIW AN prioritize the\nsystem weaknesses listed on its POA&Ms.\n\nThe CIO does not concur with this recommendation. The LAN/W AN POA&Ms are prioritized\nand most recently updated during the June 2010 re-certification.\n\nRecommendation 23\n\x0cWe recommend that CIO update its telecommuting and remote access policy in accordance\nwith NIST SP 800\xc2\xb746 Revision 1 guidelines.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The remote access policy and procedures are currently under review\nwhile new remote access methods are being tested and evaluated. Review and testing of new\npolicy and procedures are expected to begin the second quarter FY 2011 .\n\nRecommendation 24\n\n\n\n\nRecommendation 25:\nWe recommend that C)O implement an automated process to detect unauthenticated\nnetwork devices.\n\nThe CIO concurs with thi s recommendation and offers clarifying remarks in order to present a\nmore current interpretation. An automated process to detect unauthenticated network devices\nhas been procured and is expected to be in place and operational in the third quaner FY 2011.\n\nRecommendation 26\nWe recommend OPM denlop a Continuous Monitoring Policy that outlines a strategy for\nidentifying information security controls that need continuous monitoring as well as\nprocedures for conducting the tests.\n\nThe CIO concurs with thi s recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO believes that continuous monitoring must be part of the IT\nSecurity policy updates that are now underway with assistance from the Bureau of the Public\nDebt. Hov,;ever, the CIO believes that security controls associated with continuous monitoring\nare documented in the Certification & Accreditation guide posted on T1\xc2\xb7{EO.\n\nRecommendation 27\nWe recommend OPM create a list of common security controls and distribute tbis\ninformation to OPM program offices responsible for testing individual applications.\n\x0cThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO has initiated a project to established enterprise common\ncontrols under the management of the Senior Agency Information Security Officer. The IT\nSecurity Working Group has been briefed on this project and work has started with the program\noffices to identify common security controls and to consolidate them in a managed data\nrepository. Enterprise common controls are expected to be in place in FYI!.\n\nRecommendation 28 CRoll-Forward from DIG Report 4A-CI-OO-09-03J Recommendation 7)\nWe recommend that OPM develop detailed guidance related to developing and testing the\ncontingency plans of agency systems and provide training to the DSO community related to\nproper contingency planning and contingency plan testing.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO believes that the contingency plan training provided to the\nDesignated Security Officers through the IT Security Working Group is adequate. The CIO\nplans to standardize the contingency plan templates to improve the quality of the testing process.\n\nRecommendation 29: (Roll-Forward from DIG Report 4A-CI-OO-09-03J Recommendation 8)\nWe recommend that up-to-date contingency plans be developed for all agency systems.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO believes that having up-to-date contingency plans are\nimportant and will continue to work with the Designated Security Officers to keep plans current.\n\nRecommendation 30: CRoll-Forward from DIG Report 4A-CI-OO-09-03J Recommendation 9\nand DIG Report 4A-CI-OO-08-022 Recommendation 2)\nWe recommend that OPM\'s program offices test the contingency plans for each system on\nan annual basis. The contingency plans should be immediately tested for the 17 systems\nthat were not subject to adequate testing in FY 2010.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. Contingency plans are tested for a majority of systems on an annual\nbasis and the records of each test is maintaining by the Security and Privacy Group. The CIO\nacknowledges that some systems are behind schedule (approximately 10) with their testing in\n2010 and will work to ensure that all testing is completed.\n\nRecommendation 31\nWe recommend that an OPM employee test information security controls for all systems\noperated by a contractor on an annual basis.\n\x0cThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The CIO has provided guidance for testing security controls for\ncontractor operated systems and the Security and Privacy Group has assessed security controls at\nthe hosting facility for the IGS _LMS Learning Management System. The Security and Privacy\nGroup plans to extend security controls testing in FY 11 at other contractor facilities operating\nOPM systems.\n\nRecommendation 32 (Roll-Forward (rom OIG Report 4A-CI-00-09-03I Recommendation 101\nWe recommend that OPM develop a policy providing guidance on adequate oversight of\ncontractor operated systems.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. Policy covering oversight of contractor systems is documented in\nthe IT Security & Privacy Handbook volume 1 that is posted on THEO. Additional related\npolicy will be included in the policy update effort that is now in progress that will result in\ncomprehensive IT security policies.\n\nRecommendation 33 (Roll-forward (rom OIG Report 4A-CI-00-09-03I Recommendation 11\nWe recommend that CIS conduct a survey ofOPM program offices (particularly the\nBenefits Systems Group) to identify any systems that exist but do not appear on the system\ninventory. The systems discovered during this survey should be promptly added to the\nsystem inventory and certified and accredited.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. A survey has been distributed to identify systems used by OPM that\nmight not be on the system inventory. The results of the survey will be used to update that\nsystem inventory as necessary.\n\nRecommendation 34 (Roll-forward (rom OIG Report 4A-CI-00-09-03I Recommendation 31\nWe recommend that CIO develop a policy providing guidance on the development and\nappropriate use ofMOUs and ISAs.\n\nThe CIO does not concurs with this recommendation and believe that MOD and ISA policies are\ndocumented in the IT Security and Privacy Handbook volume 2 that is posted on THEO. The\ncurrent MOUlISA policies will be enhanced as part of the security policy update project.\n\nRecommendation 35 (Roll-forward (rom OIG Report 4A-CI-00-09-03I Recommendation 41\nWe recommend that CIS conduct a survey to determine how many systems owned by\nanother agency are used by OPM.\n\x0cThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. A survey has been distributed to program offices to identify systems\nused by OPM that might not be on the system inventory. The results of the survey will be used to\nupdate that system inventory as necessary and to determine other systems owned by other\nagencies that are used by OPM.\n\nRecommendation 36 (Roll-forward from OIG Report 4A-CI-00-09-031 Recommendation 191\nWe recommend that CIO conduct a new PIA survey to determine which OPM systems\nrequire a PIA, including those systems that process sensitive information about\ngovernment employees and contractors.\n\nThe CIO does not concur with this recommendation. A Privacy Threshold Analysis\ndocumentation is performed for each system to discover whether a PIA is required. This is in\naccordance with NIST 800-122 recommendations.\n\nRecommendation 37 (Roll-forward from OIG Report 4A-CI-00-09-03I Recommendation 201\nWe recommend that a new PIA be conducted for the appropriate systems based on the\nupdated PIA Guide.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. The new PIA template was reviewed and accepted by the OIG. We\nare informing OSO\'s that there are new requirements when they submit their PIA\'s for review.\nThe PIA submitted by the OSO is being updated with the new questions required by the IG and\nreturned to the OSO for completion.\nThe "guide" itself is being updated to reflect the new questions and will need to be approved in\nOMS through the established directive process before it can be published to the OPM.GOY and\nTHEO websites.\n\nRecommendation 38 (Roll-forward from OIG Report 4A-CI-00-09-031 Recommendation 211\nWe recommend that each system owner annually review the existing PIA for their system\nto reevaluate current holdings of PH, and that they submit evidence of the review to CIO.\n\nThe CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore current interpretation. System Ovmers are required to validate PTAs annually.\n\nRecommendation 39 (Roll-Forward from OIG Report 4A-CI-00-09-031 Recommendation 22\nand Report 4A-CI-00-08-022 Recommendation 121\nWe recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in\naccordance with OMB Memorandum M-07-16.\n\x0c The CIO concurs with this recommendation and offers clarifying remarks in order to present a\nmore cutTcnt interpretation. OPM currently does not have the funding to effectively pursue the\nelimination of unnecessary usc of SSN\'s as stated in OMS memomndum M-07-J6. Efforts are\nmade when the unnecessary use of SSN is discovered in PTA and PiA documentation and efforts\narc explored \'...ith the program office for alternatives. OPM does comply wilh the requirement to\nmeet regularly with other federal agencies on this effort.\n\nRecommendation 40 (Roll-Forward from OIG Report 4A-CI-OO-09-03/ Recommendation 271\nWe recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all\ncontracts related to common security settings.\n\nThe   cro concurs with this recommendation.\n\nRecommendation 41 fRolI-Forward from OIG Report 4A-CI-OO-09-03/ Recommendation 28\nand Report 4A-CI-OO-OR-022 Re\'\'lJmmendation 15)\nWe recommend tbat in the event tbat an Oracle vulnerability cannot be remediated due to\na technical or business reason, the system\'s owner should document the reason in tbe\nsystem\'s ISSP and formally accept any associated risks.\n\nThe   cro concurs with this recommendatioll.\n\ncc:\n                    Tnf\'onnalion Security Officer\n\n\n\n\n      Internal Oversight and Compliance\n\x0c                                   Appendix III\n\n\n\n\nInspector General \n\nSection Report\n\n\n\n\n                 Office of Personnel Management \n\n\n\n\n\n                          Printed: October 29, 2010, 815 am\n\x0c~tion 1: Status oCCertifieation and Accreditation Program\n1.        Selected response is:\n          b. The Agency has established and is maintaining a certification and accreditation program. However, the Agency needs to make\n          significant improvements as noted below.\n                                                     .-----~----~------------------------~-----------------,\n                                     Comments:       The OIG\'s FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM\'s C&A pro~ess were a ..\n                                                     significant deficiency in the internal control structure ofthe agency\'s IT security program. The weaknesses cited\n                                                     related to inadequate management ofthe process and incomplete, inconsistent, and poor quality C&A prmlucts.\n                                                     In FY 20 I0 these longstanding conditions not only continued, but actually degraded. As a result, we are now\n                                                     reporting a material weakness in the IT security control structure related to OPM\'s C&A process.\n\n                                                     We believe that the root causes of these issues include insufficient staffing in the IT Security and Privacy Group, a\n                                                     lack of policy and procedures, and the decentralized designated security officer (DSO) model in place at OPM.\n          la.       Areas for Improvement:\n                    \\a(\\).   Certification and accreditation policy is not fully developed. \n\n                             Yes \n\n                                     Comments: \n In July 2009, OPM\'s Office of the ChiefInformation Officer (OCIO) published an agency-wide Certification and\n                                                 Accreditation Guide. The C&A Guide addresses the roles and responsibilities ofkey personnel, a walkthrough of\n                                                 the C&A Process, and a listing of the various security documents that are required elements of a C&A.\n\n                                                     However, OPM\'s C&A Guide does not provide standard forms, templates, or detailed guidance on how to\n                                                     prepare each ofthe required elements. The lack of such guidance has led to extreme inconsistencies in the quality\n                                                     of C&A packages for various OPM systems.\n                    la(2).   Certification and accreditation procedures are not fully developed, sufficiently detailed or consistently implemented.\n                             Yes\n\n\n\n\nOIG Report\xc2\xb7 Annual 21110                                                                                                                                               Page I of t7\n                                                                             For Official Use Only\n\x0c~on 1: Status of Certification and Accreditation Program\n                                          Comments:     The OIG reviewed the full C&A packages of 15 systems that were subject to a C&A during FY 2010. Although\n                                                        the packages we reviewed contained all of the elements required by OPM\'s C&A Guide, the quality ofthese\n                                                        packages varied significantly between systems.\n\n                                                        Although various forms ofgeneral guidance are available to assist program offices in the development of C&A\n                                                        elements; the OCIO has not implemented centralized policies, guidelines, or templates outlining how various C&A\n                                                        elements should be completed for OPM systems. As a result, the content and quality ofa specific C&A element\n                                                        varies widely between systems.\n                    la(3).    Information systems are not properly categorized (FIPS 199/SP SOO-60).\n                              No\n                    la(4).    Accreditation boundaries for agency information systems are not adequately defined.\n                              No\n                    I a(5).   Minimum baseline security controls are not adequately applied to information systems (FIPS 200/SP SOO-53).\n                              No\n                    la(6).    Risk assessments are not adequately conducted (SP SOO-30).\n                              Yes\n                                          Comments:     OPM\'s OCIO has not developed an risk assessment policy. The extreme range in quality between risk\n                                                        assessments conducted by various OPM program offices indicates that the OCIO has not provided adequate risk\n                                                        assessment guidance.\n                    I a(7).   Securit~\'   control baselines are not adequately tailored to individual information systems (SP S00-30).\n                              No\n                    la(S).    Security plans do not adequately identify security requirements (SP SOO-IS).\n                              Yes\n                                          Comments:     OPM\'s OCIO has not developed an information system security plan (ISSP) policy. The extreme range in quality\n                                                        between ISSPs conducted by various OPM program offices indicates that the OCIO has not provided adequate\n                                                        ISSP guidance.\n                    I a(9).   Inadequate process to assess security control effectiveness (SPSOO-53A).\n                              Yes\n\n\nOIG Report - Annu:.12010                                                                                                                                           Page 2 of 17\n                                                                               For Official Use Only\n\x0c~tion 1: Status of Certification and Accreditation Program\n                                           Comments:         TheOIG cOl)ducted a review of the docunlentation resulting from the sec~ty controls tests for each ofthe 43\n                                                             systems in OPM\'s inventory. Our evaluation indicated that the IT iecurity controls had beenadeqlU\\lely tested for\n                                                             only 280fOPM\'s 43 systems during FY 2010.\n\n                                                             There was a wide range ofquality amongst the 28 security control tests that were conducted. Some program\n                                                             offices tested all security controls applicable to that system while others tested only a small subset. There was also\n                                                             a variance in the security controls that program offices assumed to be "common controls" inherited from OPM\'s IT\n                                                             and facility infrastructures. in addition, the tests were documented in \'many different formats and templates. We\n                                                             believe that these inconsistencies are a result ofOPM\'s lack of agency-wide policy or guidance on how to\n                                                             adequately test information system security controls.\n                      la(IO).      Inadequate process to determine risk to agency operations. agency assets, or individuals, or to authorize information systems\n                                   to operate (SP 800-37).\n                                    Ves\n                                           Comments:         Seven OPM systems are currently operating without an active C&A.\n\n                                                             The OIG identified one OPM system that was in production for several years without being subject to a C&A.\n\n                                                             In addition, the prior C&A for six additional systems from OPM\'s inventory expired in FY 2010, and a new C&A\n                                                             has not been completed. Although an "interim Authorization to Operate" (IATO) was issued for these systems,\n                                                             they are currently running in a production environment without an active C&A.\n                      I a( 1 t).   Inadequate process to continuously track changes to information systems that may necessitate reassessment of control\n                                   effectiveness (SP 800-37).\n                                   No\n\n                      la(12). Other\n                                   Ves\n                                   Explanation for Other\n                                   OCIO management of C&A Process\n\n\n\n\nOJ(; Report - Annu:.t12010\n                                                                                     For Official Use Only\n\x0c~eetion 1: Status of Certification and Accreditation Program\n                                      Comments: \n OPM\'s OCIO is responsible for assisting program offices in the development ofC&A packages for their systems. \n\n                                                  OPM\'s C&A Guide also states that the OCIO must review completed, C&Apackages for quality and \n\n                                                  completeness before recommending the systelil for accreditation. \n\n\n                                                    Although the OCIO has procedures for conducting post-completion reviews ofC&A packages, the OCIO does \n\n                                                    not have the resources available to actively participate in the planning or development of the C&A packages for \n\n                                                    each agency system, \n\n\n~tion 2: Status or Security Configuration Management\n2.        Selected response is:\n          b. The Agency has established and is maintaining a security configuration management program. However, the Agency needs to \n\n          make significant improvements as noted below. \n\n                                                    r-----------------------------------------~------------_.\n                                      Comments: \t OPM\'s OCIO has implemented an agency-wide Configuration Management Policy. This policy was updated\n                                                  during FY 20 I 0 and outlines the process for maintaining a secure configuration network environment.\n          2a.       Areas for Improvement:\n                     2a(I).   Configuration management policy is not fully developed.\n                              No\n                     2a(2).   Configuration management procedures are not fully developed or consistently implemented.\n                              No\n                     2a(3).   Software inventory is not complete (NIST 800-53: CM-8).\n                              No\n                     2a(4).   Standard baseline configurations are not identified for all software components (NIST 800-53: CM-8).\n                              No\n                     2a(5).   Hardware inventory is not complete (NIST 800-53: CM-8).\n                              Yes\n\n\n\n\nOIG Report - Annual 2010 \t                                                                                                                                         Page4ofl7\n                                                                            For Official Use Only\n\x0clSKtion 2: Status of Security Configuration Management\n                                          Com ments:    OPM currently uses several Excel spreadsheets to track its computer hardware inventory. These spreadsheets are\n                                                        manUally updiited when new hardware is purchased or old hardware is decOinmissioned. Separatespreadsheetll\n                                                        are maintained by different individUals for Wind~ws severs, Linuii servers, and all servers operated by OPM\'s\n                                                        Federal Investigative Services program office. However, each ofthese spreadsheetll is maintained independently\n                                                        from the other inventories, and no individUal at OPM maintains a single inventory listing that contains all computer\n                                                        hardware owned by the agency. Therefore, the OGIO is unable to attest that all computer hardware in OPM\'s\n                                                        operating environment is accounted for.\n\n                     2a(6).    Standard baseline configurations are not identified for all hardware components (NIST 800-53: CM-2).\n                               No\n                     2a(7).    Standard baseline configurations are not fully implemented (NIST 800-53: CM-2). \n\n                               No \n\n                     2a(8).    FDCC is not fully implemented (OM B) and!or all deviations are not fully documented. \n\n                               Yes \n\n                                          Comments: \n OPM has developed a Windows XP standard image that is generally compliant with Federal Desktop Core\n                                                      Configuration (fDCC) standards, and has documented nine deviations between thiS image and FDCC\n                                                      requirements. However, as of September 30, 2010, OPM\'s FDCC compliant image has not been rolled out to\n                                                      the majority ofOPM workstations.\n                     2a(9).    Software scanning capabilities are not fully implemented (NIST 800-53: RA-5, SI-2). \n\n                               No \n\n                     2a( I 0). \t Configuration-related vulnerabilities have not been remediated in a timely manner (NIST 800-53: CM-4, CM-6, RA-5, SI-2).\n                               No\n                     2a(II).   Patch management process is not fully developed (NIST 800-53: CM-3, SI-2). \n\n                               Yes \n\n                                          Comments: \n OPM\'s OCIO has implemented a patch management policy that outlines the responsibilities and procedures for\n                                                      ensuring that OPM servers are routinely patched. However, this policy has not been updated since August 2005.\n                                                      In August 2010, the OCIO informed the OIG that this policy is in the process of being updated.\n                     2a( 12). \t Other \n\n                               No \n\n3.        Identify baselines reviewed: \n\n0](; Report - Annual 2010                                                                                                                                               Pagt50fl7 \n\n                                                                                For Official Use Only\n\x0cjSOdiOD 2: Stotus or Security CODllgantioD MaDaaem\xe2\x80\xa2\xe2\x80\xa2t\n\n\n\n\n~1ioD 3: Statu. or IDeideDt RespoD.e 8< ReporliDg Program\n4.         Selected response is:\n           a. The Agency has established and is mai\'Haining an incident      r~lmllsc   and reporting program that is generally consistent wilh NIST\'s\n           and OMB\'s FISMA requiremt\'nts.         Allhuu~h   improvt\'me"1 opportunities may have been identified by the 0((;, the program includes\n           the following attributes:\n                      I. Documented policies and procedures for responding and reporling In incidents.\n                      2. CORlprchensin" analysis, validatillil and tlocumcntatioll orillcitlents.\n                      3. When IdJllllicahle, reports to US-CERT within established timeframes. \n\n                      ... When appli(able. reporls to law enforcement within established timeframes. \n\n                      5. Responds 10 and rcsol,.,cs incidents in a timely manner to minimize further damage.\n                                         Comments:      OPM has developed an "lncideDt Response and Reporting Guide" that outlines the responsibilities ofOPM\'s\n                                                        Computer Inddent Response Team (CIRT) and documents procedures for reporting all IT security events to the\n                                                        appropriate entities. OPM appropriately reports security incidents intemally, to US~CERT, and to law\n                                                        enforcement.\n\nii<CIioD 4: Statu. of SeeDrity TroiDiDg Program\n5.         Selected   re~pollst\'   is:\n           b. The Agelu:y hlls estllblished lind is maintaining a security training program. 1I0\\\\,(\'ver, the A~enc}\' ne(\'ds to make significant\n           improvements as nott\'d bdow.\n\n\n\n\n(JIG Repllr. - ,\\nnulIllOIO\n                                                                                 For OffiCial Usc Only\n\x0c~eetion 4: Status of Security Training Program\n                                   Comments:       OPM\'s OCIO has implemented a process to provide annual IT secllrity and privacy awareness trjIining to all OPM .\n                                                   employees and contractors.\n\n                                                   Over 99 percent ofOPM\'s employees and contractors completed the security awareness training course in FY\n                                                   20 I 0; However, only 87 percent of employees with security responsibility took specialized security training in FY\n                                                   2010.\n         Sa.      Areas for Improvement:\n                  5a(I).   Security awareness training policy is not fully developed.\n                           No\n                  5a(2).   Security awareness training procedures are not fully developed, sufficiently detailed or consistently implemented.\n                           No\n                  5a(3).   Specialized security training policy is not fully developed.\n                           Yes\n                                   Comments:       Agency employees with significant information security responsibilities are required to take specialized security\n                                                   training in addition to the annual awareness training.\n\n                                                   OPM\'s OCIO has issued developed a table outlining the security training reqnirements for specific job roles. The\n                                                   OCIO uses a spreadsheet to track the security training taken by employees that have been identified as having\n                                                   security responsibility. However, a significant portion (33 percent) ofthe individuals on the spreadsheet are listed\n                                                   with a job role that does not appear on the training requirements table (i.e., "significant responsibility"), making it\n                                                   impossible to determine whether these individuals received adequate training in FY 20 IO.\n                  5a(4).   Specialized security training procedures are not fully developed or sufficiently detailed (SP 800-50, SP 800-53). \n\n                           Yes \n\n                                   Comments:      ISee comments in 5a(3).\n\n                  5a(5).   Training material for security awareness training does not contain appropriate content for the Agency (SP 800-50, SP 800-53).\n                           No\n                  5a(6).   Identification and tracking of employees with login privileges that require security awareness training is not adequate (SP\n                           800-50, SP 800-53).\n                           No\nOIG Report\xc2\xb7 Annual20JO                                                                                                                                                 rage 7 of 17\n                                                                            For Official Use Only\n\x0c~OD 4: Status oC Security TraiDiDg Program\n                    5a(7).     Identification and tracking of employees without login privileges that require security awareness training is not adequate (SP\n                               800-50, SP 800-53).\n                               No\n                    5a(8).     Identification and tracking of employees with significant information security responsibilities is not adequate (SP 800-50, SP\n                               800-53).\n                               Yes\n                                          Comments:   ISee comments in Sa(3).\n\n                    5a(9).     Training content for individuals with significant information security responsibilities is not adequate (SP 800-53, SP 800-16).\n                               No\n                    5a(lO).    Less than 90% of employees with login privileges attended security awareness training in the past year.\n                               No\n                    5a( II).   Less than 90% of employees, contractors, and other users with significant security responsibilities attended specialized\n                               security awareness training in the past year.\n                               Yes\n                                          Comments:   Eighty-seven percent ofOPM\'s employees identified as having information security responsibility have completed\n                                                      at least one hour ofspecialized security traioing inFY 2010.\n\n                    5a( 12). Other\n                               No\n~tiOD 5: Status ofPIaDs of ActioDs & MilestoDes (POA&M) Program\n6.       Selected response is:\n         b. The Agency has established and is maintaining a POA&M program that tracks and remediates known information security\n         weaknesses. However, the Agency needs to make significant improvements as noted below. \n\n          6a.       Areas for Improvement: \n\n                    6a(l).     POA&M Policy is not fully developed. \n\n                               No \n\n                    6a(2).     POA&M procedures are not fully developed, sufficiently detailed or consistently implemented. \n\n                               Yes \n\n\nOU; Report - Annual 2010                                                                                                                                         Pat:=e 8 of 17\n                                                                                For Official Use Only\n\x0c~ection 5: Status of Plans of Amons & MUestones (POA&M) Proanun\n                                     Comments: \n OPM\'s OCIO has developed a POA&M Guide and published it to the agency\'s internal website. HQ)Vever, the \n\n                                                 OIG identifie~ several POA&M refllted weaknessesthljt indicate that the OCIO.has.not provided adequate \n\n                                                 procedure guidance and training regarding appropriate management of POA&Ms. \n\n                    6a(3).   POA&Ms do not include all known security weaknesses (OMB M-04-25).\n                             Ves\n                                     Comments:      In October 2009, the OIG issued the FY 2009 FISMA audit report with 30 audit recommendations. We verified\n                                                    that a1130 of the recommendations were I!PPropriately incorporated into the OCIO POA&M.\n\n                                                    The OIG conducted audits oftbree OPM systems in FY 2009 with a total ofthree audit recommendations that\n                                                    remained outstanding at the time the reports were issued. However, none ofthese audit recommendations\n                                                    appeared in the POA&M ofthe related system. Although each ofthese weaknesses has since been remediated,\n                                                    they should be documented in the system\'s POA&M for tracking purposes.\n                    6a(4).   Remediation actions do not sufficiently address weaknesses (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security\n                             Controls).\n                             No\n                    6a(5).   Initial date of security weaknesses are not tracked (OMB M-04-25).\n                             No\n                    6a(6).   Security weaknesses are not appropriately prioritized (OMB M-04-25).\n                             No\n                    6a(7).   Estimated remediation dates are not reasonable (OMB M-04-25).\n                             Ves\n                                     Comments:      The POA&Ms for nine OPM systems contain security weaknesses with remediation activities over 120 days\n                                                    overdue. In the third quarter of2010, OPM systems had a total of 58 POA&M items over 120 days overdue, an\n                                                    increase from 26 overdue items during the same time period in FY 2009.\n\n                                                    This indicates that the OCIO has not provided adequate leadership and guidance to ensure that program offices\n                                                    assign reasonable POA&M due dates and stay on track to meet those dates. Program offices are equally\n                                                    responsible for dedicating adequate resources to addressing POA&M weaknesses and meeting target objectives.\n                    6a(8).   Initial target remediation dates are frequently missed (OMB M-04-25).\n\nOIG Reporl - Annual 2010                                                                                                                                        Page 9 of 17\n                                                                           For Official Use Only\n\x0c~eetion 5: Status of Plans of Actions & Milestones (POA&M) Program\n                               Yes\n                                       Comments:      ISee comments in 6a(7)\n\n                      6a(9).   POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25).\n                               No\n                      6a(IO). Costs associated with remediating weaknesses are not identified (NIST SP 800-53, Rev. 3, Control PM-J & OMB M-04-25).\n                               No\n                      6a(II). Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25).\n                               Yes\n                                       Comments:       The OIG selected one closed POA&M item from nine OPM systems and reviewed the proof of closure\n                                                       documentation provided by the program offices when the POA&M items were closed. Adequate proof of closure\n                                                       was provided for eight ofthe nine systems tested. Proof of closure was not available for three POA&M items\n                                                       selected for the ninth system, and the program office subsequently reopened these security weakness.es. The\n                                                       OeIO\'s failure to adequately review proof ofclosure documentation before allowing program offices to close\n                                                       POA&M items increases the risk that security weaknesses remain unaddressed.\n                      68( 12). Other\n                               No\n\nlSIclion 6: Status of Remote Access Program\n7.        Selected response is:\n          h. The Agency has established and is maintaining a remote access program. However, the Agency needs to make significant \n\n          improvements as noted below. \n\n           7a.       Areas for Improvement: \n\n                      7a(I).   Remote access policy is not fully developed. \n\n                               Yes \n\n                                       Comments: \n Although OPM has implemented a telecommuting policy that provides guidance on the establishment, management,\n                                                   and maintenance of telecommuting, it does not address the technical elements oftelecommuting suggested by the\n                                                   NIST "Guide to Enterprise Telework and Remote Access Security." In addition, the telecommuting policy has not\n                                                   been updated since 200 I. \n\n                      7a(2).   Remote access procedures arc not fully developed, sufficiently detailed or consistently implemented. \n\nOIG Report - Annual 20 III                                                                                                                                     Page 10 of 17\n                                                                                For Official Use Only\n\x0c~OD 6: Status of Rmtote Aeeess Pl\'OIram\n\n                                     Comments:      ISee COtiunenl,Sin 7a(1).\n                  7a(3).    Telecommuting policy is Dot fully den loped (NIST 800-46. St\'clion S.I ,.\n                            y"\n                                     Comments:      ISee comments in 7a(1).\n                  7a( 4).   TeJecomnlUting procedures are not fully developed or sllfficiently detailed (NIST 800-46, Sedion 5.4).\n                            Yes\n                                     Comments:      ISee tomments in 7a(1}.\n                  73(5).    Agency cannot idl\'ntify all users who require remole access (NIST 800-46. Section ".2. ~C1iOD S.1).\n                            No\n\n                  \'a(Ii}.   Mulli\xc2\xb7 lilctor authentication is not properly deployed (NIST 800-46. Section 2.2, Section J.3).\n                            y"\n                                     Comments:                      VirtUal Private                     client to provide remote users with secure access to the agency\'s\n                                                    In~~:;\'~nvirorunent The OPM VP~ requires uscmame and paasword authentication to uniquely identify users.\n                                                    11          maintains logs of individuals who remotely access-the network, and the Jogs are reviewed on a monthly\n                                                         for unusual activity or trends.\n\n\n\n\n                  7a(7).    A~ency   has not identified all remote devices (N 1ST 800-46, S(\'ction 2.1).\n                            No\n\n                  7a(8).    A~ency  has nOI determined all rem ole devices antllor end user com pulers have been prflilerly scrured (NIST 800-46, S\xc2\xabtilln\n                            3.1 and 4.2).\n                            No\n                  7a(9).    Agency does not :.tdcqlllltely monilor remote devices when COllllec(ed tn the agency\'s netl\\o\'orks remotely (NIST 800-46,\n                            Section 3.2).\nOI(;R~port _ Annu:dWIO                                                                                                                                                 Pagcllorli\n                                                                                For Official Use Only\n\x0c~oIl6: Status ofRemote Access Program\n                              No\n                    7a(10).   Lost or stolen devices are not disabled and appropriately reported (NIST 800-46, Section 4.3, US-CERT Incident Reporting\n                              Guidelines).\n                              No\n                    7a(II).   Remote access rules of behavior are not adequate (NIST 800-53, PL-4).\n                              No\n                    7a(12).   Remote access user agreements are not adequate (NIST 800-46, Section 5.1, NIST 800-53, PS-6).\n                              No\n                    7a(13).   Other\n                              No\n\n~tiOil 7: Status of Account and Identity Muagement Program\n8. \t     Selected response is:\n         b. The Agency has established and is maintaining an account and identity management program that identifies users and network\n         devices. However, the Agenc,Y needs to make significant improvements as noted below. \n\n          8a.      Areas for Improvement: \n\n                    8a( I). \t Account management policy is not fully developed. \n\n                              No \n\n                                      Comments:     OPM maintains two policies regarding management ofuser accounts: one related to Windows network (LAN)\n                                                    users and the other related to mainframe users. Both policies contain procedures for creating user accounts with\n                                                    the appropriate level of access as well as procedures for removing access for terminated employees.\n\n                    8a(2).    Account management procedures are not fully developed, sufficiently detailed or consistently implemented.\n                              No\n                    8a(3).    Active Directory is not properly implemented (NIST 800-53, AC-2).\n                              No\n                    8a(4).    Other Non-Microsoft account management software is not properly implcmented(NIST 800-53, AC-2).\n                              No\n                    8a(5).    Agene) cannot identify all User and Non-User Accounts (NIST 800-53, AC-2).\n\nOIG Report - Annual 2010                                                                                                                                          Page 12   or 17\n                                                                           For Official Use Only\n\x0cfj;1iO. 1: Statas of A_aa\' _ad Ide.1ity MoD_gemea\' PnpaIa\n                                No\n                      SM(6).    Accounts are not properly issued 10 new users (NIST 800-53, AC.2).\n                                No\n                      8a(7}.    Accounts are nut properly terminated wbeD users no longer require access (NIST 800-53, AC-Z).\n                                No\n                     8a(H).     Agency does nol usc multi-bctor au\'hcnlitalion where required (NIST 80U-53, IA-2),\n                                y.,\n                                        Comments:      Isee comme~ts in 1a(6).\n                      83(9).    Alleney bas not adequately planned for implementation of PIV for logical access (HSPD 12. FIPS 201. OMR M-OS-24. OMR\n                                M-07-06, OMS M-GH-UI).\n                                No\n                      8a(tO).   Privilegl.\'S granted are excessive or resul. in capability to perform conniclillg functions (NIST 800-53, AC-2. i\\C-6).\n                                No\n                      8a(II).   Agency does nol usc dual aeruuols for administrators (N 1ST SOO-53, AC-S, AC--6).\n                                No\n\n                     8a(12).    Network de\\\'ices lIrc nof prollerly au\'hen\'ica\'cd (NIST 800-53, IA-3),\n                                y"\n                                        Comments:\n\n\n\n\n                      8a(I3),   Other\n                                No\n\n~tloD 8: Status of CODtinuous Monitorinl Program\n9,        Selected response is :\n          b, The Agency has established an entity-wide continuous monitoring program thtlt assesses the s\xc2\xaburity state of information systems.\n          Howcl\'Cr. the Agency needs to make signifi(\'allt imllronmcnts as ooted below,\n           9a.       Areas for Improvement :\n\nOIG Report - Annll:ll 2010                                                                                                                                1\'~l:t   1J of 17\n                                                                                 For Oflicial Use Only\n\x0cIStetiOD 8: Status of CODtinUOU8 MODitoriag Program\n                         9a(I).     Continuous monitoring policy is not fully developed.\n                                    Ves\n                                              Comments:     OPM\'sIT Sellurity and PrlvaeyPolicy Volume Z\xc2\xb7"tateS    ".,.. . \t that-\n                                                                                                                                 the .\n                                                                                                                                     security\t\n                                                                                                                                             controisofall\n                                                                                                                                                      \xc2\xad.,\'\n                                                                                                                                                           systems must be tested at\n                                                            least lIlinuaily to detern:line. the ~l\\tent towhi~1l the controls are implemented correctly, .operating as intended, and .\n                                                            meeting the security requireifients for the system;\n\n                                                            In addition. to\n                                                                          _\n                                                                            the \'annual\n                                                                                 \t  \'\n                                                                                        tests; OPM\'s infrastructure systems (LANIWANanllEnterprise\n                                                                                                                                           _ \'_\' r,:\' __\',\n                                                                                                                                                            Seiver) are subject\n                                                                                                                                                           ,_,_~_\'       "\n                                                                                                                                                                                to\n                                                            additional security control tests in the form of automated vulnerability scans.\xc2\xb7 Although these scans are performed\n                                                            routinely, the OCIO has not developed a Continuous Monitoring Policy to provide guidance on identifying\n                                                            high-risk security controls along with a strategy for testing them on a continuous basis.\n                         9a(2). \t   Continuous monitoring procedures are not fully developed or consistently implemented.\n                                    Ves\n                                              Comments:    ISee comments in 9a(1).\n\n                         9a(3).     Strategy or plan has not been fully developed for entity-wide continuous monitoring (NIST 800-37).\n                                    Ves\n                                              Comments:    ISee comments in 9a(1).\n\n                         9a(4).     Ongoing assessments of selected security controls (system-specific, hybrid, and common) have not been performed (NIST\n                                    800-53, NIST 800-53A).\n                                    Ves\n                                              Comments:     The security controls were tested for only 28 ofOPM\'s 43 systems in FY 2010\n\n                         93(5). \t   The following were not provided to the system authorizing official or other key system officials: security status reports\n                                    covering continuous monitoring results, updates to security plans, security assessment reports, and POA&Ms (NIST 800-53,\n                                    NIST 800-53A). \n\n                                    No \n\n                         9a(6).     Other \n\n                                    Ves \n\n                                    Explanation for Other \n\n                                    List of Common Security Controls \n\n\n\nOIG Repor1   M   Annual 2010 \t                                                                                                                                                   Page 1-\' of 17\n                                                                                     For Official Use Only\n\x0c~on 8: Status of Continuous Monitoring Program\n                                      Comments:      Many ofthe applications in OPM\'ssystem inventory are housed in OPM\'s LANIWAN or Enterprise Server\n                                                     (mainframe) general suJjJjort s\xc2\xa5sttms (GSS). These applications inherit a significant portion ofinfoniiation s~curity\n                                                     controls required by NIST SP.Soo,.S3from these environments. These inherited controls are referred tQ ~\n                                                     "common controls."\n\n                                                     When the security controls of a system are subject to testing, the program office conducting the test is not required\n                                                     to evaluate the controls inherited from the GSS, as these controls are certified by OPM\'s OCIO. HQwever, the\n                                                     OCIO does not currently maintain a publisl)ed list ofcommon security controls, and individual program offices are\n                                                     responsible for determining which cOntrols are inherited from a GSS, increasing the risk that certain security\n                                                     controls remain untested.           .                                                                     .\n\n~eetion 9: Status of Contingency Planning Program\n10. \t    Selected response is:\n         b. The Agency has established and is maintaining an entity-wide business continuity/disaster recovery program. However, the Agency\n         needs to make significant improvements as noted below.\n          t Oa.     Areas for Improvement: \n\n                    10a(\\). Contingency planning policy is not fully developed. \n\n                              Yes \n\n                                      Comments: \n OPM\'s Information Security and Privacy Policy Volume 2 states that each system owner must "Test the\n                                                  contingency plan for the information system at least annually to determine the plan\'s effectiveness and the system\'s\n                                                  readiness to execute the plan." However, this policy does not provide instructions for conducting business impact\n                                                  assessments, developing contingency plans, or conducting the contingency plan test in accordance with NIST\n                                                  guidance.\n                    IOa(2). \t Contingency planning procedures are not fully developed or consistently implemented. \n\n                              Yes \n\n                                      Comments:     ISee comments in lOa(I).\n                    IOa(3). An overall business impact assessment has not been performed (NIST SP 800-34).\n                            No\n                    IOa(4).   [)evelopment of organization, component, or infrastructure recovery strategies and plans has not been accomplished (NIST\n                              SP 800-34).\nOIG Report - Annual 2010                                                                                                                                             Pa~r    15   or 17\n                                                                             For Official Use Only\n\x0c~on 9: Statos of Contingency Planning Program\n                              No\n                    IOa(5).   A business continuity/disaster recovery plan has not been developed (FCDI, NIST SP 800-34).\n                              No\n                    IOa(6).   A business continuity/disaster recovery plan has been developed, but not fully implemented (FCDI, NIST SP 800-34).\n                              No\n                    IOa(7). System contingency plans missing or incomplete (FCDI, NIST SP 800-34, NIST SP 800-53).\n                              Ves\n                                         Comments:   Up-to-date contingency plans did not exist for 7 ofthe 43 systems on OPM\'s master system inventory. Five of43\n                                                     systems had documented contingency plans, but they were not reviewed or updated in FY 2010. The OIG was\n                                                     not provided with evidence that a documented contingency plan exists for the remaining two systems.\n                    IOa(8). Critical systems contingency plans are not tested (FCD!, NIST SP 800-34, NIST SP 800-53).\n                              Ves\n                                         Comments:   The contingency plans for 30 ofOPM\'s 43 systems were tested in FY 2010 in full compliance with the\n                                                     requirements ofNIST SP 800-34, Contingency Planning Guide for Information Technology Systems. Eleven of\n                                                     43 system contingency plans were tested in FY 2010, but not with a scenario-based contingency plan test\n                                                     conducted in accordance with NIST SP 800-34 requirements. The remaining two system contingency plans were\n                                                     not subject to any form of contingency plan test in FY 2010.\n                    lOa(9). Training, testing, and exercises approaches have not been developed (FCDI, NIST SP 800-34,NIST 800-53).\n                              Ves\n                                         Comments:   OPM\'s Information Security and Privacy Policy Volume 2 states that each system owner must "Test the\n                                                     contingency plan for the information system at least annually to determine the plan\'s effectiveness and the system\'s\n                                                     readiness to execute the plan." However, this policy does not provide instructions for conducting business impact\n                                                     assessments, developing contingency plans, or conducting the contingency plan test in accordance with NIST\n                                                     guidance.\n                    10a(10). Training, testing, and exercises approaches have been developed, but are not fully implemented (FCDI, NIST SP 800-34,\n                             N1ST SP 800-53).\n                              No\n                    I Oa(1 t). \tDisaster reco\\\'ery exercises were not successful re\\\'caled significant weaknesses in the contigency planning. (NIST SP\n                              800-34).\n\nOIG Report - Annual20lO \t                                                                                                                                           Pa~e   16 of 17\n                                                                            For Official Use Only\n\x0c~tion 9: Status olContingency Planning Program\n                             No\n                    lOa(12). After-action plans did not address issues identified during disaster recovery exercises (FCDI, NIST SP 800-34).\n                             No\n                    IOa(13). Critical systems do not have alternate processing sites (FCDI, NIST SP 800-34, NIST SP 800-53).\n                             No\n                    IOa(l4). Alternate processing sites are subject to same risks as primary sites (FCDI, NIST SP 800-34, NIST SP 800-53).\n                             No\n                    IOa(15). Backups of information are not performed in a timely manner (FCDI, NIST SP 800-34, NIST SP 800-53).\n                             No\n                    IOa(16). Backups are not appropriately tested (FCDI, NIST SP 800-34, NIST SP 800-53).\n                             No\n                    IOa(17). Backups are not properly secured and protected (FCDI, NIST SP 800-34, NIST SP 800-53).\n                             No\n                    lOa( 18). Other\n                             No\n\n\xc2\xa7ection 10: Status of Agency Program to Oversee Contractor Systems\nII.      Selected response is:\n         c. The Agency does not have a program to oversee systems operated on its behalf by contractors or other entities.\n                                      Comments:     OPM\'s master system inventory indicates that II ofthe agency\'s 43 major applications are operated by a\n                                                    contractor.\n\n                                                    In prior audits, OIG bas verified that the security controls ofthese contractor systems were tested by an OPM\n                                                    employee. However, in FY 2010, 7 of the II contractor systems were not subject to security control testing.\n\n                                                    In addition OPM does not have a formal policy providing the OCIO and other program offices guidance on the\n                                                    appropriate oversight ofcontractors and contractor-run systems.\n\n\n\n\nOIG Report - Annual 2010                                                                                                                                            Page 17 of 17\n                                                                           For Official Use Only\n\x0c'